The Bank of Thailand (BOT) officially finalized and enforced its AI Risk Management Guidelines for all financial service providers in September 2025. Grounded in FEAT-aligned principles — Fairness, Ethics, Accountability, and Transparency — the guidelines impose binding obligations on AI governance structures and full lifecycle controls across the industry, positioning Thailand as a benchmark-setter for financial AI regulation across the ASEAN region.
■ Regulatory Impact: Mandatory for All FSPs, Board Accountability Now Explicit
The guidelines apply to all BOT-supervised entities without exception, including commercial banks (domestic and foreign branches), specialized financial institutions, payment service providers, and licensed fintech companies. The framework is structured around two core pillars. The first, AI Governance, mandates that boards directly approve AI risk appetite and governance policies, while establishing clear reporting lines and escalation procedures. The second, AI System Development and Security Controls, covers data quality standards, model development and validation, pre-deployment testing, ongoing performance monitoring, and extends equally to third-party AI tools. While proportionate implementation is permitted based on institution size and AI usage, establishing a baseline governance framework is a universal obligation.
■ Compliance Requirements: Five-Step Implementation Roadmap and Mandatory Fairness Monitoring
Financial institutions are required to implement a five-stage compliance structure. This includes: ① establishing board-level AI oversight and approving risk policies; ② conducting a full inventory and risk classification of all AI systems — both in-house and third-party; ③ implementing lifecycle controls covering data governance, model development, deployment procedures, and model retirement; ④ deploying bias monitoring across high-risk AI applications such as credit scoring, lending decisions, and insurance pricing; and ⑤ conducting vendor due diligence, establishing contractual safeguards, and developing contingency plans. Institutions are also explicitly required to create mechanisms allowing customers to understand and contest AI-driven decisions. Compliance with Thailand’s Personal Data Protection Act (PDPA) is a parallel and non-negotiable requirement.
■ Industry Response: Regional Regulatory Convergence Demands Proactive Governance Architecture
The BOT guidelines arrive amid a broader wave of FEAT-aligned financial AI regulation across ASEAN — Singapore’s MAS issued a draft in November 2025, Malaysia’s BNM released its proposal in August 2025, and Indonesia’s OJK mandated its framework in December 2025. As the first finalized regulatory instrument in the region, BOT’s guidelines signal that financial institutions operating across ASEAN can no longer manage AI compliance on a jurisdiction-by-jurisdiction basis. A unified, cross-border AI governance architecture is now a strategic and operational necessity. International financial institutions with exposure to Thailand and the wider ASEAN market must urgently assess the applicability of these requirements to their regional operations.
■ International Trends: ASEAN Financial AI Governance Standardization Accelerates
The BOT framework draws directly from Singapore’s FEAT framework and aligns with the ASEAN AI Governance Guide’s regional principles. While the guidelines are more limited in GenAI-specific provisions compared to Singapore’s Project MindForge, their requirements on third-party AI management and demographic fairness monitoring are among the most comprehensive in the region. As global financial AI regulation shifts from voluntary guidance to binding obligation, BOT’s early finalization sets a new supervisory benchmark — and a preview of where the rest of ASEAN is heading.
