Are we ready for the National e-Payment Master Plan?

However, it is questionable whether Thailand is prepared for this, in view of recurrent cyberattacks and a lack of data privacy law in general. 

The master plan comprises five projects: an AnyID payment system; expansion of the use of electronic cards; an e-tax system and e-transaction documents; e-payment of government entities; and building awareness.

Undeniably, there are many advantages to the plan. As electronic transactions are traceable, tax evasion, money laundering, corruption, organised crime, and financing of illegal activities would be observable. 

The Bank of Thailand could save a vast amount of money that would normally be spent on printing banknotes to replace old and damaged ones. 

The AnyID transfer system would facilitate transactions for people in rural areas where branches of commercial banks are scarce. 

Also, incentives from the government are expected to include a lower rate of value-added tax for those who switch from cash to e-payment. 

Nevertheless, the biggest concern revolves around the lack of sufficient security measures to protect account holders from unauthorised use, and to prevent system errors, fraud, and other cyber-threats. 

The Computer Crime Act BE 2550 (2007) is in place to combat cybercrimes including hacking, phishing, DDoS (distributed denial of service) attacks, and/or spam mails, but we have seen a rise in cyber-threats. Statistics from the Thailand Computer Emergency Response Team (ThaiCERT) show that there were 4,371 cyber-threat cases in 2015, a 150-per-cent increase over the previous two years. 

The Requirements, Procedures, and Conditions for Undertaking Electronic Payment Service Business BE 2559 (2016) regulation is in place to protect e-payment customer data. It prescribes that e-payment service providers must keep customer data confidential throughout and after use of the service, with certain exceptions – for example the customers have given prior written consent, or the disclosure is for the purpose of investigation, litigation, compliance with laws, or supervision of the BOT. 

However, the regulation is targeted at requiring e-payment service providers to provide personal data protection, rather than regulating illegal acts of anyone in general. As a result, the Personal Data Protection Act, which was approved in principle by the Cabinet in January 2015, needs to be put in place, as the national e-payment system will require the creation of a central repository of personal data of the vast majority of the population. 

There are also other issues of note as follows. 

While one of the aims of the master plan is to reduce money laundering, corruption, and payment for illegal activities, it is arguable that even with the national e-payment programme in place, criminals will try to circumvent the system by using other anonymous payment means such as Bitcoins instead. 

One of the objectives of the AnyID payment system is to help low-income people access financial services (the minimum transaction is initially set at only Bt20). However, such people often have little understanding of how sophisticated e-payment systems work. As such, they would be susceptible to cyber-threats. 

The infrastructure is not yet in place to provide fully stable Internet connections countrywide, which may hinder the use of the e-payment system by the very people it is aimed at helping in outlying areas. 

Awareness must be boosted while security measures, proper data management, and equal broadband access must be put in place to support the grand scheme.

 

Next step?

The Cabinet last December 1 approved the new Payment System Bill. It is suggested that the bill not only upholds security measures but also strikes a balance between information sharing and the protection of personal data and financial privacy of data owners. 

Financial institutions and the BOT must provide account holders with a clear policy statement regarding information sharing. 

The bill should also make clear who will bear the burden of sending data-breach notifications to account holders, and have the duty to investigate any system errors and re-credit amounts to account holders in case of system errors. The bill should also address clearly who – account holders or financial institutions – will bear associated risks, such as for fraudulent transactions of identity theft of a debit card. 

In using the e-payment system, it cannot be denied that account holders may have to bear some risk and exercise a certain amount of care to protect their online accounts. Complicated password combinations may help. However, despite caution, unexpected losses may still happen in practice. 

The bill should also include adequate consumer-protection regulations to protect e-payment account holders from unauthorised transactions and/or identity theft. 

The cashless society also requires a significant investment to develop system security measures, installing software, training manpower and putting in place contingency arrangements. If the master plan and the related laws and regulations are not well thought out, people may end up not using the system for fear of security flaws and invasion of privacy by the government. 

The system will be embraced only when adequate protection is in place, and that includes adequate system security, privacy protection, and fair remedies.

 

Dhiraphol Suwanprateep is a |partner at Baker & McKenzie Ltd. Kritiyanee Buranatrevedhya is a lawyer working in IT/communications practice and intellectual property practice groups. They can be reached at [email protected] and [email protected].