The Role of the Financial Regulator of Thailand in Ensuring the Information Security of the Financial and Banking Sector

Gorian Ella ORCID: 0000-0002-5962-3929 PhD in Law Associate Professor, Vladivostok State University 690014, Russia, Primorsky Krai, Vladivostok, Gogol str., 41, office 5502 ella-gorjan@yandex.ru Other publications by this author

Relevance. Attacks on computer systems are carried out against the most important sectors for society and the state: energy, transport, financial, banking, etc. Such information systems have the status of critical information infrastructures and are under constant supervision of specialized institutions authorized by the state to ensure their information security. But the efforts of such institutions alone are not enough, they only ensure the inviolability and smooth functioning of computer systems, but other security issues (for example, data confidentiality) remain the responsibility of the entities that use these systems. A special place among such entities is occupied by financial institutions, the credibility of which depends on ensuring confidentiality and guarantee obligations. The coordinating role in the financial and banking sector is played by the financial regulator, which sets the rules for the activities of financial institutions, including in the field of ensuring the safety of their functioning. The more significant a State is for the international economy, the more serious attacks are made on its financial institutions. Thailand is the second economy in Southeast Asia, challenging its leadership in the region with Singapore and implementing a number of measures to strengthen the investment attractiveness of financial and banking sector entities. The factor of the inflow of investments into this sector is information security, since the modern economy has a digital character. Therefore, Thailand is increasing its presence in the international arena, acting as a reliable partner in ensuring international security. In particular, in 2018, the ASEAN-Japan CybersecurityCapacity Building Centre (ASEAN-Japan CybersecurityCapacity Building Centre) was established in Bangkok jointly with Japan. On its basis, 1) trainings for the staff of government agencies and bodies are held; 2) advanced training of cybersecurity experts from ASEAN member states (at least 280 people); 3) implementation of a project to attract young people to solving technical cybersecurity problems (ASEAN YouthCybersecurityTechnical Challenge) (ASEAN-Japan CybersecurityCapacity Building Centre (Step 2), URL: https://jaif.asean.org/support/project-brief/asean-japan-cybersecurity-capacity-building-centre.html).

Along with international initiatives, Thailand is actively building up the regulatory framework for regulating cybersecurity processes. Within three years from 2017 to 2019, the National Cybersecurity Strategy 2017-2021 (National Cybersecurity Strategy 2017-2021), the Personal Data Protection Act 2018 and the Cybersecurity Act 2019 were adopted. The results were not long in coming: only in 2020, e-commerce and transport (food delivery) showed an increase of 81% and 42%, respectively, and in the pandemic 2020, the increase was 12%. The increase in new users of digital services amounted to 30%, which in 2021 shows the total value of Thailand's Internet economy at 35 billion US dollars with a projected growth of 53 billion US dollars by 2025 (e-Conomy SEA Spotlight 2022. Through the waves, towards a sea of opportunity, URL: https://economysea.withgoogle.com/#explore).

Therefore, the study of Thailand's experience in ensuring cybersecurity in general ^{[1; 2]} and the activities of its financial regulator in this area in particular is necessary to improve the Russian cybersecurity mechanism. All of the above indicates the relevance of the research topic.

The purpose of the study is to characterize the role of the financial regulator of Thailand - the Bank of Thailand (Bank of Thailand), in ensuring information security of the financial and banking sector. The objectives of the study are to determine the legal status of the financial regulator, its functions and the nature of cooperation with the private sector in this area.

Methodology. In order to obtain the most reliable scientific results, system-structural, formal-logical and formal-legal methods were used.

The subject of the study, the source base of the study, contradictions in existing studies and the author's position. The subject of the study is presented by regulatory legal acts and sources of "soft law" of Thailand, which establish requirements for information systems of subjects of the financial and banking sector.

The topic we have chosen for the study is poorly represented in the Russian scientific literature. It should be noted that domestic scientific studies on the role of the Russian financial regulator in ensuring the information security of banking and financial systems are published regularly, but comparative studies in this area are practically absent. Mention of the foreign experience of financial regulators' participation in the cybersecurity mechanism can be found in the works of I.I. Aminov ^[3], V.V. Maslennikov ^[4], N.S. Molodtsov ^[5] and A.K. Trifonova ^[6]. A number of our studies were devoted to the activities of financial regulators in Singapore, China and Russia in this area ^{[7; 8; 9]} within the framework of the RFBR grant "Ensuring the rights of investors in the banking and financial sectors in the conditions of digitalization of the economy in the Russian Federation and the leading financial centers of East Asia: a comparative legal aspect".

The main part. The powers of the financial regulator of Thailand are distributed among three bodies. The Bank of Thailand (Bank of Thailand, BOT) controls commercial banks, financial companies, credit institutions, asset management companies, electronic payment services and credit card companies. The Securities and Exchange Commission (SEC) oversees securities transactions. The Insurance Commission (Office of Insurance Commission, OIC) oversees the activities of insurance companies.

The Bank of Thailand was originally established as the National Banking Bureau of Thailand. The Bank of Thailand Act was promulgated on April 28, 1942, assigning the Bank of Thailand responsibility for all functions of the central bank. The Bank of Thailand started its operations on December 10, 1942. Later, the Law on the Bank of Thailand was amended to emphasize its social responsibility, create a mechanism to protect against the economic crisis, and adjust the decision-making process to ensure proper governance and transparency in the organization. Currently, the revision of the Bank of Thailand Act of 2008 is in effect (Bank of Thailand Act B.E.2485 as amended by B.E.2551, URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW01_BOTAct.pdf ).

In accordance with this law, the Bank of Thailand has the following competence:

1) printing and issuing banknotes and other securities; 2) promoting monetary stability and developing monetary policy; 3) asset management of the Bank of Thailand; 4) providing banking services to the government and registering government bonds; 5) providing banking services to financial institutions; 6) creating or supporting the creation of a payment system; 7) control and audit of financial institutions by studying and analyzing the financial condition and activities, as well as creating a risk management system of financial institutions in order to ensure their stability; 8) managing the exchange rate of foreign currency within the currency system and managing assets in the foreign exchange reserve in accordance with the Law on Currency (Currency Act B.E. 2501, URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW02_CurrencyAct.pdf ); 9) currency control.

The regulatory framework for the activities of the Bank of Thailand consists of the following laws and regulations. The Law on the Bank of Thailand establishes the objectives, scope of work and organizational structure of the Bank of Thailand in accordance with the international standard of the central bank to maintain the stability and efficiency of the financial system, the system of financial institutions and the payment system through transparent and accountable procedures.

In accordance with the Currency Act, the Bank of Thailand is required to manage international reserves and maintain a foreign exchange reserve in accordance with relevant laws to ensure stability and confidence in the currency. In addition, the financial regulator is also required to design, print, issue, manage and control banknotes to ensure that banknotes are in sufficient quantity in circulation in accordance with the demand of the economic system.

The Law on Currency Control (Exchange Control Act B.E. 2485, URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW03_ExchangeControlAct.pdf ) contains the principles of control, restriction or prohibition of all exchange or other transactions with foreign currency in any form.

The Law on the Payment System (Payment System Act B.E 2560 (2017), URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW04_PaymentSystemAct.pdf ) is aimed at supervising the operation of payment systems and payment services in order to ensure the stability, security and efficiency of payment systems in general and in accordance with international standards, including support for payment innovations. The Law defines three types of payment systems: the most Important payment System (Highly Important Payment System), the designated payment System (Designated Payment System) and the designated payment Service (Designated Payment Service), in respect of which the Bank of Thailand has the right to supervise. Any person wishing to operate a payment system or payment service specified in the Notification of the Minister of Finance as a designated payment system or designated payment service must obtain a license from the Minister of Finance or register with the Bank of Thailand.

The Law on the Entrepreneurial Activity of Financial Institutions (Financial Institution Business Act B.E. 2551 (2008), URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW05_FIAct.pdf ) regulates risk management measures of financial institutions, ensuring regulation of banking activities and protection against damage that may arise as a result of the activities of financial institutions. It also aims to maintain economic stability and the trust of depositors and the public by establishing rules of good governance for any person performing the duties of a director, manager, official or person with authority to manage financial institutions.

Emergency Decree on Asset Management Companies (Emergency Decree on Asset Management Companies, B.E.2541 (1998), URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW06_AMCAct.pdf ) defines the mechanism for registering an asset management company that will receive benefits in the form of exemption from fees and taxes when buying or receiving non-performing assets or their collateral from financial institutions. In addition, the Bank of Thailand has the right to supervise the asset management company in accordance with the powers specified in this emergency decree.

The Law on Commercial Activities in the Field of Credit Information (Credit Information Business Operation Act, B.E. 2545 (2002), URL: https://www.bot.or.th/English/AboutBOT/LawsAndRegulations/Documents/LAW07_NCBAct.pdf ) requires sufficient information about the financial condition and payment history of its customers, i.e., what is the history of customers and how much debt customers have to other financial institutions. In the past, financial institutions did not have such information; thus, this contributed to an increase in overdue loans and problems for financial institutions and the financial institution system as a whole.

Securities and Exchange Commission (The Securities and Exchange Commission, URL: https://www.sec.or.th/EN/Pages/ABOUTUS/HOWWEREGULATE.aspx ) controls and regulates capital markets in accordance with the legislation on securities and exchange transactions, derivatives, digital assets, trust management for capital market transactions, special purpose legal entities for securitization purposes, reserve fund.

Objectives of the activities for the administration of regulations and rules: 1) ensuring investors' access to information and investment decision-making; 2) efficient, transparent and honest operation of the capital market; 3) control and containment of systematic risks in the markets within certain limits.

The Insurance Commission (Office of Insurance Commission, OIC) is the regulator of the insurance industry in Thailand, working under the leadership of the Minister of Finance of Thailand. The Commission is authorized to regulate the activities of insurance companies, brokers and agents and was established in accordance with the Law on the State Insurance Commission of Thailand (Government Insurance Commission Act, B.E. 2550, URL: https://www.oic.or.th/sites/default/files/content/91311/insurance-commission-act-be-2007.pdf ), in which the functions of the Commission were defined as "supervision and promotion of the insurance business". The Commission is responsible for issuing operational licenses for insurance companies and operational compliance with regulations through market surveillance.

The Bank of Thailand has developed a set of tools to ensure the information security of financial and banking sector entities. These are so-called notifications, which establish: 1) the rules for the implementation of transactions with electronic payment cards; 2) the policy and measures to ensure the security of the information system for the commercial activities of electronic payment service providers (together with the Security Guidelines for the information system related to the electronic payment service); 3) the policy and measures for security information technology systems (together with the Manual on the Security of Information Systems Related to Payment Systems).

The implementation of transactions with electronic payment cards is established by the notification of the Bank of Thailand on the rules, procedures and conditions of doing business with electronic payment cards (Notification of the Bank of Thailand No. FPG. 6/2559 Re: Rules, Procedures and Conditions for Underwriting Electronic Money Card Business, URL: https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610093.pdf&sa=U&ved=2ahUKEwjN0M7_por7AhWH6aQKHb6TCpQQFnoECAYQAQ&usg=AOvVaw0i4W2BS9fmC-B2dFpctUsb). The financial regulator establishes the responsibility of the service provider for the continuity, safety and reliability of services. The service provider should implement proper risk management when selecting service providers and appropriate procedures for monitoring, evaluating and supervising the services of designated service providers. In addition, the service provider must conclude a service agreement with its counterparties, which defines the rights of internal and external auditors, as well as an official of the Bank of Thailand to verify the operations and internal control of the service provider.

The service provider must implement a security policy for its services, which includes access control to the system and data, customer authentication and non-repudiation, system and data integrity, data confidentiality, system availability, system monitoring, as well as an incident report in case of a system malfunction for more than 24 hours. It is obliged to check and evaluate its information systems at least once a year in accordance with the information system security policy and measures established by the Bank of Thailand; and submit a copy of the audit report to the Bank of Thailand within 30 days from the date of completion of the audit.

The policy and measures to ensure the security of information systems of electronic payment service providers (together with the Security Manual for Information Systems of Electronic Payment Service Providers) are established by the relevant notification of The Bank of Thailand (The Bank of Thailand Notification No. ITG. 3/2552 Re: Policies and Measures on Security of Information System for Business Operation of Electronic Payment Service Providers, URL: https://www.bot.or.th/English/PaymentSystems/Payment_Regulation/BN_Regulation/BAHTNET%2520Notification/11_BOT_Circular_No%2520_ForChorPor%2520_794-2560_2017-05-26_ISO_BN_ICAS_EN%2520(2).pdf&sa=U&ved=2ahUKEwjN0M7_por7AhWH6aQKHb6TCpQQFnoECAkQAg&usg=AOvVaw1i81eahGPFMgcycwj0FDxt). According to this document, service providers must comply with information system security standards, policies and measures. Service providers should familiarize their employees with the information system security policy approved by the top management, as well as conduct staff training and regularly review or adjust the policy in accordance with the current situation (clause 4.1). Such a policy should include provisions on a) access control and authentication; b) confidentiality of information and system integrity; c) availability of the system; d) examination of the security of the information system.

Service providers should develop a set of measures to ensure the security of information systems (clause 4.2). Such measures should correspond to the characteristics of the business and include access control and authentication, confidentiality of information, integrity of the information system, system availability, incident response and reports. In addition, information security checks should be carried out regularly, at least once a year.

The notification in question contains the Guidelines on Security of Information System Related to Electronic Payment Service developed by the Bank of Thailand (Guidelines on Security of Information System Related to Electronic Payment Service). It includes four sections: 1) on access control and authentication (the procedure for appointing personnel or divisions of the information system, as well as the separation of powers when working with the information system of service providers; implementation of access control to the information system; standards of authentication and non-repudiation); 2) on confidentiality of information and integrity of the information system (requirements for confidentiality of information; regulation and version control information system or information processing equipment; network management related to the operation of the service); 3) on the availability of the system (risk assessment procedure and operating system management; system detection; incident response, recording and reporting in case of damage to the information system; information backup; business continuity plan or emergency plan of the information system; maintenance of information system equipment); 4) on the security check of the information system.

The Bank of Thailand has established general requirements for the security of information systems in the notification on the information systems security Policy and Measures (Bank of Thailand Notification No. SorNorChor. 11/2561 Re: Policies and Measures on Security of Information Technology Systems, URL: ðttps://www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610021.pdf&sa=U&ved=2ahUKEwjN0M7_por7AhWH6aQKHb6TCpQQFnoECAEQAg&usg=AOvVaw0JzcLxNxaAnzo1WEdaiLCs). This document defines the basic safety guidelines: 1) access control and authentication; 2) confidentiality of information and system integrity; 3) availability of services; 4) security audit of information systems. It should be used as a guide in the development of a set of security measures for information systems related to particularly important payment systems, designated payment systems and designated payment services. Security measures should effectively eliminate and prevent risks in accordance with the guidelines of international standards. In addition, service providers of particularly important payment systems and business providers of payment systems and services should apply and develop information system security measures depending on the types and complexity of their own services.

The content of the four principles is disclosed in the Guidelines on Security of IT Systems related to the Payment Systems approved by the notification under consideration (Guidelines on Security of IT Systems related to the Payment Systems). The principle of access control and authentication determines a) the procedure for the appointment of personnel or departments responsible for information technology and the division of responsibilities corresponding to the management of information systems; b) access control to information systems; c) the procedure for verifying identity and preventing disclaimer.

The principle of confidentiality of information and system integrity defines the requirements for 1) system development, change control management, improvement of information systems or data processing equipment; 2) management of network systems related to maintenance.

The availability of the system is ensured by establishing rules for a) risk assessment and management of the service system; b) monitoring and detection of anomalies or vulnerabilities of information systems; c) resolution, incident response, recording and reporting in case of damage to the information system; d) backup of information; e) development of a business continuity plan or emergency plan information systems; f) maintenance of information systems equipment. The Bank of Thailand requires a regular audit of the security of information systems and the review or improvement of information system security measures.

Conclusions. As a result of the conducted research, we came to the following conclusions. The powers of the financial regulator of Thailand are distributed among three bodies. The Bank of Thailand controls commercial banks, financial companies, credit institutions, asset management companies, electronic payment services and credit card companies. The Securities and Exchange Commission oversees securities transactions, while the Insurance Commission oversees the activities of insurance companies. Ensuring information security is entrusted to the Bank of Thailand, which is authorized to create a risk management system for financial institutions in order to ensure their stability. To this end, it adopts regulations that establish security standards for three types of information systems: general, serving electronic payments and serving electronic payment cards. Noteworthy is the requirement for information system operators, when concluding a service agreement, to determine the rights of internal and external auditors, as well as an official of the Bank of Thailand to verify transactions and control the service provider. The financial regulator determines the status of service providers of particularly important payment systems, charging them with the obligation to develop security measures for information systems, depending on the types and complexity of their own services.

The research was carried out with the financial support of the RFBR within the framework of the scientific project 20-011-00454 "Ensuring the rights of investors in the banking and financial sectors in the conditions of digitalization of the economy in the Russian Federation and the leading financial centers of East Asia: a comparative legal aspect".