Thailand

Under Thai law, cryptoassets are primarily governed by the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) (the “Digital Asset Decree”), which provides formal legal definitions for two categories of digital assets: cryptocurrencies and digital tokens. These definitions serve as the basis for regulatory oversight by the Securities and Exchange Commission of Thailand (SEC) and other financial regulators.

A “cryptocurrency” is defined under section 3 of the Digital Asset Decree as “an electronic data unit created on an electronic system or network for the purpose of being used as a medium of exchange for the acquisition of goods, services or any other rights, or the exchange between digital assets”. The definition is intentionally broad and includes other electronic data units as specified by the SEC through subsequent notifications. At the time of writing, the SEC has approved the use of certain cryptocurrencies for trading on licensed exchanges, including:

• Bitcoin (BTC);
• Ethereum (ETH);
• Ripple (XRP);
• Stellar (XLM);
• Tether (USDT); and
• USDC.

Notably, while cryptocurrencies may be used as a medium of exchange, the Bank of Thailand (BOT) has publicly discouraged their use for payment of goods and services, citing concerns over volatility, consumer protection, and financial stability (BOT Policy Statement, 8 July 2021).

By contrast, a “digital token” is defined as “an electronic data unit created on an electronic system or network” for one of the following purposes:

• an investment token, which grants the holder a right to participate in an investment project or business; or
• a utility token, which entitles the holder to receive specific goods, services, or other rights pursuant to an agreement with the issuer.

The Digital Asset Decree remains the principal legislation governing the issuance, offering, and trading of cryptocurrencies and digital assets. The framework is administered by the SEC, the Ministry of Finance, and, in matters relating to financial stability and payment, the BOT.

In addition to the core legislation, the SEC has issued a number of notifications and subordinate regulations governing token offerings, investor protections, advertising, custody standards, and record-keeping. Offerings of investment tokens or utility tokens that are not immediately functional are subject to registration and SEC approval and must be conducted via an authorised portal provider. Issuers are also subject to governance obligations, including disclosure of board-approved conflict-of-interest management procedures and enhanced rules on token-holder voting and advertising, as indicated in SEC Press Releases No. 79/2024 and No. 150/2024.

Although the trading and holding of cryptocurrencies is permitted, the use of digital assets as a means of payment is expressly restricted. In line with the BOT’s longstanding policy discouraging cryptocurrency payments, SEC Notification No. 5/2565 prohibits licensed digital asset business operators from facilitating or promoting the use of digital assets for payments. As of July 2025, draft regulations are pending that would extend this prohibition to custodial wallet providers.

Nonetheless, Thai authorities have taken an innovation-forward approach to supervised testing. The BOT is continuing its development of a retail central bank digital currency (CBDC) and is actively engaged in the cross-border mBridge initiative for wholesale CBDC settlement. In 2024, the SEC launched a digital asset regulatory sandbox for licensed operators to trial new services under regulatory supervision for a fixed period.

From a taxation perspective, income derived from digital assets is subject to taxation under the Revenue Code. This includes capital gains from trading, mining income, and any other income derived from the holding or transfer of cryptocurrencies or digital tokens. A 15% withholding tax applies to certain types of income, while value added tax (VAT) exemptions apply to transactions conducted through licensed exchanges and to issuances of investment tokens, pursuant to Emergency Decrees No. 744 and No. 799.

Finally, investment-related activities, such as fund management or advisory services involving digital assets, are separately regulated. Persons providing such services must obtain licences under the Digital Asset Decree, and their activities are subject to ongoing compliance obligations. Digital assets are also recognised as “property” under Thai law, although practical challenges persist in relation to their treatment in estate planning and probate, due in part to limitations on the admissibility of electronic evidence in testamentary proceedings.

Stablecoins are not defined as a separate category under the Digital Asset Decree. However, the regulatory treatment of stablecoins depends on their structure. Fiat-backed stablecoins may be classified as digital assets or as a form of e-money, depending on their function and backing mechanism. The BOT has indicated that it is in the process of developing a regulatory framework for fiat-backed stablecoins, although comprehensive regulation has yet to be promulgated as of writing in August 2025. At present, the BOT continues to monitor stablecoin developments in parallel with its retail CBDC pilot and the mBridge (wholesale CBDC) cross-border settlement project.

Non-fungible tokens (NFTs) are not explicitly defined in current legislation. However, depending on their form of use, NFTs may fall within the existing definition of digital tokens, particularly if they represent a claim to goods, services, or rights, or are used for investment purposes. The SEC has not issued formal guidance on NFTs, although it is generally understood that NFTs used solely for collectible or artistic purposes and not marketed for investment may fall outside the scope of the Digital Asset Decree.

Recent regulatory updates reflect the Thai government’s increasing support for digital token-based fundraising, with safeguards for investor protection. In particular, SEC Press Release No. 16/2024, effective from 16 January 2024, lifted investment limits on real estate and infrastructure-backed initial coin offerings (ICOs) for retail investors and introduced updated standards for custodial wallet providers, among other reforms. These changes underscore the regulatory distinction between cryptocurrencies, which are treated cautiously, and digital tokens, which are actively promoted as investment instruments under a tightly regulated regime.

Thailand operates a comprehensive licensing and authorisation regime for cryptocurrency issuers, service providers, and trading platforms, which has been strengthened since the original Digital Asset Decree of 2018. The regime is administered primarily by the SEC and the Ministry of Finance, with relevant policy input from the BOT, especially in matters concerning financial stability, payment systems, and prevention of illicit financial activity.

The law recognises several regulated categories of digital asset activities, each of which must be separately authorised. These include:

• Digital asset exchange: a platform that facilitates trading or exchange of digital assets by matching orders or providing a system for buyers and sellers to transact.
• Digital asset broker: a service provider acting as an intermediary in digital asset transactions for a fee.
• Digital asset dealer: a party trading digital assets for its own account in the ordinary course of business outside an exchange.
• Digital token portal provider: an entity authorised to screen and facilitate offerings of digital tokens (e.g. through ICOs).
• Digital asset fund manager: a provider managing investment portfolios in digital assets on behalf of clients.
• Digital asset advisor: a provider offering investment advice related to digital assets, whether directly or indirectly.
• Digital asset custodial service provider: a business offering safekeeping of digital assets or managing private cryptographic keys necessary for asset transfers.

Each category is subject to eligibility and ongoing compliance requirements, which are more fully specified under the updated law and SEC/Ministry of Finance notifications. Key requirements include:

• minimum capital, an organisational structure, risk management, cybersecurity, and operational guardrails;
• custody rules, particularly around the segregation of customer assets, daily reconciliation, use of hot/cold wallets, and restrictions on using customers’ assets for any purpose other than their custody;
• prohibitions on providing certain services, including supporting or promoting digital assets as a means of payment for goods and services, using wallets or tools for payments, advertising that promotes payments with digital assets, and privacy coin services without requisite disclosure obligations; and
• licence requirements for foreign operators providing services to Thai users under specified characteristics.

Importantly, the 2025 amendment to the Digital Asset Decree also tightened restrictions on overseas-based platforms that market or promote to users in Thailand. Foreign operators are deemed to be “operating in Thailand”, and thus subject to SEC licensing and advertising rules if their marketing or platforms display any of the following seven characteristics:

• use of the Thai language;
• use of a “.th” or “.ไทย” domain name;
• accepting payments in Thai baht;
• accepting deposits through Thai banks or local e-money accounts;
• targeting of Thailand residents in marketing campaigns;
• dissemination of targeted advertisements towards Thailand residents via local media or influencers; and
• any other acts that demonstrate a clear intention to solicit Thai users.

These restrictions significantly broaden the reach of Thai law, ensuring that offshore platforms cannot bypass local protections by operating from abroad while still marketing to Thai residents.

Penalties for non-compliance are significant. Operating a digital asset business without relevant licences can result in imprisonment of two to five years and a fine ranging from THB 200,000 to 500,000, together with a daily fine of up to THB 10,000 for each day the violation continues. Individuals who allow their accounts or wallets to be used as “mule accounts” for unlawful digital asset activities face penalties of up to three years’ imprisonment, fines of up to THB 300,000, or both.

Regulators also have the authority to block or restrict access to unlicensed platforms and can impose administrative sanctions, such as disqualification of directors or executives from holding management positions in licensed operators. In addition, failure by service providers to comply with technology crime takedown or data removal orders may attract further penalties of up to one year’s imprisonment or fines of up to THB 100,000, or both.

Authorisation is granted by the Ministry of Finance upon recommendation by the SEC. Issuers of digital tokens must obtain SEC approval for offerings and register offering documents, unless exempted (e.g. immediately usable utility tokens). Fund managers and advisors dealing in digital assets must also be separately licensed. Since the 2025 amendment, enforcement has been tightened to cover foreign platforms deemed to target Thai persons, with streamlined powers for the SEC and other authorities to suspend operations, block access, and impose both civil and criminal penalties.

The promotion of cryptoassets to consumers and investors in Thailand is regulated primarily under the Digital Asset Decree and subsequent regulations issued by the SEC.

For ICOs, issuers are required to obtain SEC approval and file a registration statement similar to those required for securities offerings. The ICO must also be conducted through an SEC-approved “Digital Portal Service Provider”. Comprehensive rules under SEC Notification No. 15/2561 regulate both “investment tokens” that grant rights to participate in an investment project, and “utility tokens” that are not immediately usable upon issuance.

In 2024 and 2025, the SEC introduced further requirements concerning ICO governance, disclosure, and advertising standards. Specifically, ICO advertisements must avoid language that pressures or entices investors into impulsive decisions, must not imply guaranteed returns, and must contain appropriate risk warnings. If external information is used, the sources must be reliable and clearly cited. The SEC also requires issuers to ensure that third-party advertisers and promoters, including influencers, comply with the same standards. Non-compliance may result in the SEC directing issuers to revise or withdraw misleading promotional materials to ensure that information provided to investors is factual, comprehensive, and not misleading (SEC Press Release No. 79/2024).

These measures extend beyond traditional issuer communications to cover marketing promotions and influencer-led campaigns, reflecting a broader policy of preventing undue hype and protecting retail investors. The rules are designed to align cryptoasset advertising with existing consumer protection and market integrity standards in Thailand.

As discussed in Question 4, above, the updated Digital Asset Decree mandates that any person issuing, trading, or facilitating transactions in cryptocurrencies or digital tokens, whether inside Thailand or, in many circumstances, outside Thailand but offering services to persons in Thailand, must be licensed as a digital asset business operator. This includes disseminating marketing campaigns and advertisements targeting users in Thailand.

Cryptoasset custodians in Thailand are regulated under the Digital Asset Decree, as amended, and subsequent notifications of the Ministry of Finance and the SEC. In July 2022, the category of Digital Asset Custodial Service Providers was formally introduced, requiring such entities to obtain a licence before offering custody services. Custody is broadly defined to include both the safekeeping or deposit of digital assets, and the management of cryptographic keys or other confidential elements necessary to enable transactions involving digital assets.

Licensed custodians are subject to regulatory standards comparable to those applicable to traditional financial institutions. The SEC requires robust governance and operational safeguards, including:

• Licensing and fit-and-proper requirements. Applicants must demonstrate sufficient expertise, financial stability, and operational readiness to provide custody services. Where custodians operate within a corporate group, independence criteria apply to ensure proper separation from affiliated businesses.
• Client asset segregation. Custodians must maintain clear segregation between their own assets and those of clients, both in digital and fiat holdings, to prevent commingling and mitigate insolvency risks.
• Security measures. Operators are required to adopt security frameworks equivalent to banking sector standards. These include maintaining secure custody environments (such as cold or offline storage), establishing incident response protocols, and ensuring the integrity of cryptographic key management.
• Anti-cybercrime obligations. In line with the 2023 Cybercrime Law, custodians must implement monitoring and blacklist mechanisms to detect and suspend suspicious accounts and must share information with regulators. They may be held jointly liable with banks and telecom operators if they fail to prevent fraud or mule account activity

Thailand imposes comprehensive anti-money laundering (AML) obligations on digital asset businesses under both the Anti-Money Laundering Act B.E. 2542 (1999) and the Digital Asset Decree. Section 7 of the Emergency Decree classifies digital asset business operators and ICO portals as “financial institutions”, thereby subjecting them to the same AML requirements as banks and other regulated financial entities.

Key obligations include:

• Customer due diligence (CDD). Operators must conduct CDD from the first transaction and on a periodic basis until the account or relationship is terminated. This involves identifying and verifying customers, beneficial owners, and the purpose of transactions, while ensuring that customer information and sources of funds remain up to date.
• Enhanced CDD for high-risk clients. Customers deemed high-risk, such as politically exposed persons, those with complex ownership structures, or residents of high-risk jurisdictions identified by the Anti-Money Laundering Office (AMLO) or the Financial Action Task Force (FATF), must be subject to enhanced due diligence. This includes additional verification of business activities and funds, senior management approval, closer monitoring, and possible refusal of service where risks cannot be mitigated.
• Transaction monitoring and suspicious activity reporting. Digital asset operators must report suspicious transactions, cash transactions over THB 2 million, and property transactions over THB 5 million to the AMLO. They must also maintain policies to detect unusual or inconsistent financial movements.
• Record-keeping. Licensed operators must retain accurate and updated records of custody and client transactions for at least five years, with the records of the first two years stored in an easily accessible format for SEC inspection.
• Cybercrime prevention. Following the 2023 Cybercrime Law, operators are required to implement security measures comparable to those in the banking sector, including blacklisting illicit wallet addresses, suspending suspicious accounts, and cooperating with authorities. Operators may be held jointly liable with banks, telecom companies, and social media platforms if they fail to prevent fraud and mule account activities.

Collectively, these measures align Thailand’s cryptoasset AML regime with international standards while addressing emerging risks, such as cyber-enabled financial crime and cross-border illicit flows.

The ownership of cryptoassets is recognised and regulated primarily under the Digital Asset Decree and the Civil and Commercial Code (CCC). The Emergency Decree provides the statutory definitions of “cryptocurrency” and “digital tokens”, distinguishing them as electronic data units that may function either as a medium of exchange or as instruments conferring investment or utility rights.

Cryptoassets are treated as “property” under section 138 of the CCC and are therefore capable of being owned, transferred, assigned, and inherited. This classification places them within the broader framework of property rights in Thailand, meaning they can be included in estates, subject to succession rules, and potentially securitised or pledged as collateral. However, enforcement of testamentary succession of digital assets remains a practical challenge, as electronic evidence is excluded from probate proceedings under the Royal Decree Exempting Certain Transactions in the CCC from the Electronic Transaction Act (2005), making it difficult to rely on digital records to prove ownership upon death.

In terms of control and beneficial ownership, Thai law recognises both the legal and beneficial interests in digital assets. For AML purposes, digital asset operators must identify and verify the “ultimate beneficial owner” of cryptoassets, ensuring transparency in instances where assets are held or controlled on behalf of others. This approach reflects international standards on beneficial ownership disclosure and aims to prevent misuse of cryptoassets for illicit activity.

From a regulatory perspective, any entity seeking to operate businesses involving the ownership, transfer, or safekeeping of cryptoassets must be licensed as a digital asset business operator under the Emergency Decree. The Ministry of Finance and the SEC supervise activities such as exchanges, brokers, dealers, ICO portals, custodians, fund managers, and advisors. Licensing requirements ensure that operators adhere to prudential safeguards, customer protection standards, and AML obligations.

With respect to securitisation and collateralisation, the classification of cryptoassets as “property” means that, in principle, they can be pledged or otherwise used as collateral in financing arrangements. However, there is no specific statutory framework addressing the mechanics of crypto collateralisation in Thailand, and practical enforcement remains uncertain given the technological challenges of verifying and realising control over such assets. As such, while the legal basis exists, market participants typically rely on contractual arrangements and custodial structures to secure interests in cryptoassets, rather than formalised securitisation regimes.

Overall, while Thai law allows for the ownership and transfer of cryptoassets within the framework of property rights, the regime emphasises regulatory oversight, transparency of beneficial ownership, and adherence to licensing standards to ensure that such ownership and transfers occur within a controlled and lawful environment.

At present, Thailand does not have a dedicated legal or regulatory framework governing DAOs. They are not recognised as a distinct legal entity under Thai law, nor is there any specific registration or licensing regime applicable to them.

Although there have been no cases directly addressing the status of DAOs in Thailand, they could be viewed as analogous to an unincorporated general partnership, which under Thai law carries joint and several liability among its members. This means that individuals participating in a DAO may, in principle, be held personally responsible for the DAO’s obligations without limitation, absent any protective legal structure. This stands in contrast to corporations or limited liability entities recognised under Thai law, where liability is confined to the amount of capital contributed.

Because DAOs are not considered legal persons, they cannot directly own property, enter into contracts, or hold rights and obligations in their own name. Any such activities would need to be carried out by identifiable individuals or separate legal entities acting on behalf of the DAO.

From a regulatory perspective, while there are no DAO-specific rules, Thai regulators have demonstrated caution with respect to decentralised systems. In particular, obligations under the Digital Asset Decree and the Anti-Money Laundering Act B.E. 2542 (1999) may indirectly apply if DAO-related activities fall within the scope of “digital asset businesses”. In such cases, participants or operators exercising significant control over a DAO could be subject to licensing, disclosure, and AML obligations.

As of writing, DAOs currently operate in a regulatory grey area in Thailand. With no dedicated framework or judicial precedent, members face the risk that DAOs could be treated as unincorporated general partnerships, exposing them to joint and several liability for the organisation’s activities.

Thailand has no crypto-specific bankruptcy code. Insolvency and business rehabilitation are governed by the Bankruptcy Act B.E. 2483 (1940) (as amended) and related court procedures; cases are handled by the Central Bankruptcy Court and administered by the Official Receiver, who takes control of the debtor’s estate, realises assets and distributes proceeds according to statutory priorities. 

That said, the Digital Asset Decree imposes important client asset safeguards that take effect when a licensed digital asset operator becomes insolvent or is placed under receivership: operators must keep each client’s assets in segregated accounts, separate from the operator’s own, and the Decree states that “the clients’ assets kept in the account… belong to the clients”. If an operator is put under a receivership or similar order, procedures under the Securities and Exchange Act apply mutatis mutandis to prioritise the identification, segregation, transfer or return of client property (e.g. transfer to another intermediary), with the SEC empowered to oversee the process and complete it within prescribed timeframes.

With regard to the treatment of cryptoassets in bankruptcy, Thai law recognises cryptoassets as “property”, thus, where a debtor, either an individual or juristic person, holds crypto in their own right, those assets form part of the bankruptcy estate and are realisable by the Official Receiver, subject to any proprietary or security interests. In practice, this was confirmed in the Zipmex insolvency proceedings, where the Central Bankruptcy Court recognised customer tokens as property, with the effect that they were capable of being segregated and returned to customers rather than being absorbed into the exchange’s own estate. This case provides early judicial guidance that strengthens the “property” character of digital assets under Thai law.

Operationally, there are no bespoke liquidation rules for digital assets; receivers typically realise property through sale and may use regulated platforms or brokers to dispose of digital assets in compliance with the Emergency Decree.

There is currently no statute in Thailand that expressly addresses the enforceability of “smart contracts”. Their validity is instead assessed under the general provisions of the CCC, which requires that contracts:

• be formed with mutual consent of the parties;
• have a lawful and possible object; and
• comply with any prescribed formalities where applicable.

A smart contract, essentially a self-executing program on a blockchain, can satisfy these requirements where the parties’ agreement, intent and obligations are sufficiently clear. The fact that performance is automated does not in itself prevent enforceability under Thai law. As with traditional electronic contracts, enforceability depends on whether the substantive legal criteria for contract formation are met.

Regulators have also acknowledged the role of distributed ledger technology and smart contracts in the Thai financial ecosystem. The BOT, for instance, has promoted “programmable payments” and blockchain-driven pilots that rely on automated execution of conditions. Similarly, the SEC’s Digital Asset Regulatory Sandbox accommodates innovations that may incorporate smart contract functionality. These initiatives demonstrate that Thai regulators consider smart contracts as tools within the legal framework, rather than as unrecognised agreements.

However, certain limitations remain. For example, under the Royal Decree Exempting Certain Transactions in the CCC from the Electronic Transaction Act (2005), testamentary transactions are excluded from electronic recognition; by analogy, evidentiary or interpretive challenges could arise with smart contracts in litigation. Courts would likely need to rely on supporting documents, such as white papers, terms of use, or off-chain agreements, to clarify the parties’ intent and terms.

While there is no specific legislation on smart contracts, they are generally enforceable under Thai contract law, provided that the essential requirements of the CCC are satisfied. Parties relying on smart contracts should ensure that supporting documentation and express terms are maintained to mitigate evidentiary and interpretive risks.

Victims of crypto fraud in Thailand may pursue remedies through both criminal and civil proceedings. Fraudulent activity involving digital assets is generally prosecuted under the Thai Penal Code, the Computer Crime Act, and the Digital Asset Decree. In parallel, civil claims for damages or restitution may be filed under the CCC.

The SEC and the AMLO play important roles in enforcement. The SEC has authority to investigate digital asset business operators and suspend or revoke licences in cases of misconduct, while the AMLO has powers to freeze or confiscate assets linked to money laundering or fraud. The BOT has also taken a more active role, particularly in monitoring peer-to-peer (P2P) crypto transactions, many of which have been linked to local fraud schemes and the use of “mule accounts”. In practice, the BOT has introduced measures and restrictions, including transaction bans, to reduce opportunities for fraudsters to exploit the P2P channel.

Victims can apply to the Thai courts for interim relief, including:

• Freezing or seizure orders: courts may issue provisional measures to freeze bank accounts, seize digital wallets (where technically feasible), or restrain transfers of suspected assets.
• Proprietary injunctions: available where victims can demonstrate ownership or tracing of assets, although enforcement against pseudonymous wallets remains technically challenging.
• Third-party disclosure orders: courts may compel licensed digital asset exchanges, custodians, or banks to disclose customer information, facilitating asset tracing.

Where a claim is brought, service of court orders and judgments follows standard Thai civil procedure. If the fraud involves an overseas exchange or operator, service may require compliance with bilateral treaties or the Hague Service Convention, to which Thailand acceded in 2023.

Once judgment is obtained, enforcement is carried out by the Legal Execution Department. Assets, including digital assets recognised as “property” under section 138 of the CCC, can be seized and liquidated for the benefit of victims.

Additionally, under the 2023 Cybercrime Law, digital asset business operators, banks, telecommunications firms, and even social media platforms may be held jointly liable if they fail to prevent mule accounts or illicit wallet activity linked to fraud. This framework enables victims to seek restitution through coordinated enforcement actions and refund mechanisms introduced by the SEC.

While practical challenges exist in tracing and recovering cryptoassets, Thai law provides victims of crypto fraud with a combination of criminal prosecution, civil damages claims, interim asset-freezing tools, and regulatory enforcement mechanisms. Recent interventions by the BOT targeting P2P fraud and mule accounts highlight the regulatory trend toward proactive prevention as well as victim restitution.

Thailand taxes cryptoasset income under the Revenue Code, with targeted exemptions designed to channel activity through regulated platforms.

Income from cryptoassets is generally taxable under section 40(4)(h) to (i) of the Revenue Code, covering profit-sharing, staking returns, and gains where the transfer value exceeds cost. Where cryptoassets are paid as income, payers must also withhold 15% at source (section 50(2)(f)). From 1 January 2025 to 31 December 2029, however, Thailand grants a personal income tax exemption for capital gains realised on trades executed through licensed Thai digital asset exchanges. The exemption does not apply to fiat-to-crypto conversions, crypto-to-fiat withdrawals, or trades outside licensed venues, which remain taxable. In addition, transfers of cryptocurrency or digital tokens on licensed digital asset exchanges are exempt from VAT under Emergency Decree No. 744. A separate, temporary VAT exemption applied to transfers of BOT-issued digital currency between 1 April 2022 and 31 December 2023 (Emergency Decree No. 745).

Juristic entities that issue and sell investment tokens to the public in compliance with the Emergency Decree benefit from corporate income tax and VAT exemptions (Emergency Decree No. 779; retroactive to 14 May 2018). Other businesses dealing in cryptoassets are generally taxed under ordinary corporate income tax rules on profits, subject to the specific exemptions above and any withholding obligations when paying digital asset income. 

There is no prescribed special taxpayer reporting beyond ordinary Thai tax filings; however, there are sectoral reporting and record-keeping requirements for licensed digital asset operators (e.g. five-year retention for custody and fund management records, with the first two years readily accessible to the SEC), and a requirement to submit AML reports to the AMLO, particularly with regard to cash or property thresholds and suspicious transactions. There are also regulatory obligations imposed on operators rather than additional tax return filings for individual taxpayers.

The policy thrust is to incentivise activity on licensed venues (e.g. via personal income tax exemption; VAT exemption etc.) while retaining ordinary tax treatment elsewhere. Taxpayers should track execution venues, character of receipts (capital versus income), and withholding where crypto is used as remuneration. 

Thai cryptoasset platforms are subject to the cross-sector Personal Data Protection Act B.E. 2562 (2019) (PDPA) and sector-specific rules issued under the Digital Asset Decree.

The PDPA applies to controllers/processors that collect, use, or disclose personal data in Thailand (including certain extraterritorial scenarios), and adopts General Data Protection Regulation-style principles on lawful bases, transparency, security, and data subject rights. Controllers and processors must implement “appropriate” security measures and comply with disclosure/notice obligations, notably:

• A controller must notify the Personal Data Protection Committee (PDPC) of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware, unless the breach is unlikely to risk individuals’ rights and freedoms. Where the breach is likely to result in a high risk, affected data subjects must also be notified. Practical guidance clarifies timing and limited allowances for delayed reporting. 
• An assigned Data Protection Officer (DPO) is required where core activities involve regular or systematic monitoring or large-scale processing of personal or sensitive data (as further specified by PDPC sub-regulations effective December 2023). Crypto platforms that continuously monitor transactions and behaviour typically assess this threshold as met.
• Outbound transfers must meet PDPA conditions, such as transfers to “adequate” destinations per the PDPC Whitelist Notification, binding corporate rules, or other PDPA mechanisms among others.

Beyond the PDPA, licensed digital asset businesses must meet SEC-mandated safeguards comparable to banking standards, maintain blacklists and screen/suspend suspicious accounts, operate refund mechanisms for fraud victims, share information with authorities, and comply with five-year record-keeping, with the first two years readily accessible. Operators may face joint liability with banks, telecoms, and platforms if they fail to meet these standards. 

Digital asset operators are deemed to be “financial institutions” for AML purposes and must undertake CDD/know-your-customer (KYC) procedures, ongoing monitoring, and reporting to the AMLO. These obligations require extensive processing of identification and transactional data and should be aligned with PDPA requirements. Thailand, as a FATF member, is also expected to implement Recommendation 16 (the “Travel Rule”), which requires originator and beneficiary information to accompany virtual asset transfers. Although at the time of writing, while Thai law already imposes strong KYC and reporting obligations on licensed platforms, there is not yet clear evidence that a full Travel Rule framework has been formally adopted. Regulators are, however, monitoring international standards and may tighten rules further to align with FATF expectations.

In summary, crypto platforms in Thailand must:

• comply with the PDPA, including 72-hour breach notification, where applicable, DPO appointment where thresholds are met, and cross-border transfer rules; and
• implement sector-specific cybersecurity and operational safeguards required by the SEC (screening/blacklists, refund and cooperation mechanisms, robust security, and record-keeping), alongside AML/KYC duties.

Together, these regimes protect customers’ personal and transactional data and set baseline cyber-resilience expectations for the sector.

Thailand does not provide statutory definitions of “staking”, “yield farming” or “investment tokens”. Instead, such activities are assessed under the Digital Asset Decree and related SEC or Ministry of Finance notifications, which regulate them based on the functional roles and characteristics of the relevant token.

Where a token confers rights to participate in or receive returns from a project, it is treated as an investment token and subject to the SEC’s offering/disclosure regime. “Ready-to-use” utility tokens issued purely for consumption are, in limited cases, exempt from offering approval, but the SEC’s 13 August 2024 revisions prohibit using such utility tokens for staking, save for narrow governance-type uses such as voting, event participation and/or ecosystem rewards. If a utility token is intended for exchange trading, approval and disclosures apply. 

Platforms that facilitate staking, yield products, or similar return-bearing services to Thai users may fall within one or more licensed categories. Operators must meet licensing, governance, segregation and security standards broadly aligned with financial sector norms. As discussed in Question 5, above, offshore operators that target users in Thailand are now subject to an extraterritorial licensing rule. 

Licensed operators must implement banking-grade security controls, maintain blacklists and suspend suspicious accounts, operate refund mechanisms for fraud victims, share information with authorities, and comply with five-year record-keeping. These requirements sit alongside AML obligations, as digital asset businesses are treated as “financial institutions” for AML purposes.

Thailand has no stand-alone decentralised finance law. Return-bearing crypto schemes are assessed through existing digital asset and consumer protection frameworks:

• tokens that embody investment-type rights are regulated as investment tokens;
• platforms facilitating staking/yield to Thai users typically require licensing and must meet segregation, security and AML standards; and
• utility tokens cannot be used for staking beyond narrow governance functions. 

Thailand has several live or recently concluded consultations and pilot frameworks that signal further regulatory development:

• The BOT is piloting programmable payments, automated transactions with predefined conditions, within its sandbox. In parallel, the SEC conducted a July 2024 public hearing on a draft regulation to allow licensed digital asset business operators to accept crypto issued by participants in the BOT’s programmable-payment sandbox, creating a narrowly scoped gateway for payment use within a controlled environment (pending finalisation). 
• Launched on 9 August 2024, the SEC Digital Asset Regulatory Sandbox admits the six licensed categories (exchanges, brokers, dealers, fund managers, advisors, custodial wallet providers) to test innovations under SEC supervision for an initial one-year term (with possible renewal).
• On 15 July 2025, the SEC opened a public hearing on a new sandbox enabling foreign tourists to convert digital assets to Thai baht via licensed operators and spend through e-money rails regulated by the BOT. The 18-month extendable framework requires full KYC/CDD, data collection and assessment, blockchain analytics, information-sharing with regulators, and structured exit plans.
• While existing SEC rules bar licensed operators from supporting crypto as a general means of payment, a draft measure would extend this prohibition to digital asset custodial service providers, reflecting continued caution around payment use cases.
• The BOT continues policy work on fiat-backed stablecoins and is advancing both retail CBDC pilots and the mBridge wholesale CBDC project. The SEC, meanwhile, is monitoring product perimeter issues (e.g. spot Bitcoin ETFs offered overseas) and has clarified its current stance while keeping supervision under review. 

Thailand is using targeted sandboxes and incremental rulemaking to calibrate market access and consumer protection. Expect further guidance that tightens operational standards for intermediaries, while selectively opening sandboxed pathways for specific payment and tourism use cases.