Legal Risk Management on uses of Blockchain Technology in Financial Services


On 4 June 2021, Bank of Thailand (“BOT”) issued guidelines for using blockchain technology in financial services, with the aim to provide a reference for any financial service provider on how to use blockchain technology in practice, and to ensure that financial service providers are implementing blockchain technology in a proper, safe, reliable manner, and consistent with international standards. Moreover, these guidelines aim to gain people’s trust in the use of blockchain services and be the standard for the country's financial structural development.

Such guidelines will be applied to financial service providers that are under the BOT’s supervision - including: (1) financial institutions (i.e. commercial bank, finance company and credit foncier) and financial business groups under the law on Financial Institution Businesses; (2) business operators under the supervision of the BOT which are not financial institutions (e.g. credit card, personal loan or micro financing business); and (3) business operators under the law on payment systems - which use the Private Blockchain Network (a blockchain network controlling access to the network and data) to provide financial transactions, both in the case of an administrator and a member of the blockchain network. However, in the case where financial service providers apply in the Public Blockchain Network (an open blockchain network where everyone can freely access the network and its data without asking for permission), the providers must consult with the BOT on a case-by-case basis before proceeding.

As the guidelines cover four important key practices for using blockchain technology in financial services: (1) Blockchain Business Application; (2) Blockchain Governance; (3) IT Risk Management; and (4) Legal Risk Management, therefore this newsletter will only focus on said practices. The BOT has prepared this guideline based on international standards and regulatory guidelines related to blockchain technology, including the evaluation of projects using blockchain technology under the Regulatory Sandbox.

With regard to legal risk management on uses of blockchain technology, financial service providers must comply with relevant laws, and provide guidelines for keeping user’s data stored in a secure blockchain network by taking into account the binding laws in force, as well as protecting data subjects’ rights and privacy. Moreover, the service providers must take  personal data protection into consideration in order to effectively manage any legal risks and appropriately protect the service providers and any related parties. Therefore, the legal risk management guidelines are as follows:

(1) In case of being a blockchain network administrator, a mutual agreement between the members and those involved in the blockchain network should be provided, such as stipulating the conditions regarding consensus (mechanism that controls the data accuracy in every node through various algorithms to ensure the data accuracy through mutual agreements between the members of the blockchain network); practices and frequencies of data backup, and the data verification; the transaction process and timeout of the blockchain system in order to clearly define the responsible person, create a common understanding and reduce disputes between members of the blockchain.

(2) An agreement on smart contracts (a program format that stores the terms of contracts in the blockchain network and automatically executes such when the prescribed conditions are met) in the blockchain network between the parties involved should be provided, such as the legal effect of the transaction; the validity of the transaction; rights, duties and responsibilities of the involved parties; the process for handling errors or disputes; and reviewing the content and processes of each smart contract so it complies with such agreements, laws and policies of financial service providers.

(3) If the use of blockchain technology or joining a blockchain network involves personal data, financial service providers should assess the risks that may affect the rights of personal data subjects. If assessed and found to be at high risk, financial service providers should keep such personal data ‘off-chain’ (keeping the data outside of the blockchain network, e.g. in-house database storage) or consider using other technologies or methods to ensure that the data control is in accordance with applicable laws or personal data protection measures.

In addition, financial service providers should have a process in place for assessing the impact of personal data protection (referring to the related laws and regulations of the protection of personal data). If there is a change in the collection, use or disclosure of the significant personal information in relation to the blockchain system, financial service providers should review such assessments.

(4) Provide a process for regularly reviewing the information contained in the blockchain network, showing that the information is personally identifiable, whether directly or indirectly, in order to assess whether it may be classified as “personal information”. If so, apart from complying with the BOT guidelines on data governance, financial service providers must also take the utmost care in protecting the privacy of personal data and comply with the relevant laws.

(5) Financial service providers using blockchain technology must comply with BOT laws and regulations and other relevant laws, e.g. the law on electronic transactions, anti-money laundering, cyber security, personal data protection and digital asset business.

(6) Provide a process for educating users and related parties about the use of blockchain technology applying to financial products and services, thus to enable users and related parties to understand the benefits and potential effects of using blockchain technology.

In light of the above, financial service providers under the BOT’s supervision which use a Private Blockchain Network  shall observe the aforementioned guidelines  in order to comply with the correct practice. For more information, please visit the BOT website:

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this or on other areas of law, please do not hesitate to contact:

Nuttaros Tangprasitti

Krid Pongprapaphan

Related articles