BOT Mobile Banking Security Guidelines (4/2568) Compliance
The Bank of Thailand has significantly tightened mobile banking security regulations in response to escalating financial fraud, malware, and sophisticated cybercrimes. Ensure your applications meet the strict minimum security standards of Notification 4/2568.
What is BOT Notification 4/2568?
BOT Notification No. 4/2568, issued in early 2025, establishes strict minimum security standards for mobile banking applications in response to escalating threats of financial fraud, malware, and sophisticated cybercrimes such as social engineering and phishing. Together with the revised IT Risk Management Guidelines (2023), it creates a comprehensive security framework that all financial institutions and e-money providers must follow.
Reference: BOT Notification No. 4/2568 (Effective 2025)
Who Must Comply with BOT 4/2568?
All financial institutions, e-money providers, and payment service providers with customer-facing mobile applications fall under this regulation.
BOT 4/2568 Security Controls
Notification 4/2568, together with the BOT IT Risk Management Guidelines, mandates strict security controls across these key domains.
1-Person-1-Device & Device Controls
Users can register only one mobile device per mobile banking account per institution. Apps are prohibited from running on jailbroken/rooted phones or devices with severely outdated operating systems, preventing attackers from using remote access trojans (RATs).
Biometric Verification & Transaction Limits
Physical biometrics (facial recognition with liveness detection) required for transactions exceeding ฿50,000 or daily totals above ฿200,000. Risk-based daily caps apply — vulnerable groups (minors under 15, elderly) restricted to ฿50,000/day.
Anti-Phishing & Communication Rules
Banks are strictly prohibited from embedding links in SMS messages and emails. Social media links only permitted if explicitly requested by the customer. No requesting sensitive info (usernames, passwords, OTPs, PINs, National IDs) via any channel.
Anti-Malware & Threat Monitoring
Apps must implement active malware detection to prevent overlay attacks (fake login screens over legitimate apps). Institutions must actively scan for and report fake versions of their banking apps on official and third-party app stores.
24/7 Incident Response & Real-Time Detection
Banks must operate a dedicated 24-hour hotline for fraud victims. Systems must detect suspicious transactions in near real-time and temporarily freeze them while investigating potential mule accounts.
IT Infrastructure & Encryption Standards
AES 256-bit encryption required for data at rest and in transit. Stringent Identity and Access Management (IAM) protocols mandated for bank employees to prevent internal breaches, per the BOT IT Risk Management Guidelines (2023).
Mobile App Testing Scope
Our comprehensive testing validates all critical controls required by BOT 4/2568 and the IT Risk Management Guidelines.
Consequences of Non-Compliance
Failure to meet BOT mobile banking security requirements carries significant financial, operational, and reputational consequences.
Shared Financial Liability
Under the Emergency Decree on Technology Crime Prevention (2025), non-compliant institutions face a shared liability model — they are held financially liable for victim damages in proportion to their negligence (e.g., failing to freeze a known mule account).
Operational Restrictions
BOT may impose restrictions on mobile banking services including partial or full service suspension until security gaps are remediated.
Mandatory Immediate Remediation
Required immediate application updates or service suspension when critical security vulnerabilities are discovered during BOT examination.
Increased Supervisory Oversight
Elevated supervisory oversight with more frequent examinations, mandatory progress reporting, and stricter compliance timelines.
Related Acts & Regulations
BOT's mobile banking security framework operates alongside several broader legal and regulatory instruments.
Emergency Decree on Technology Crime Prevention (No. 2, B.E. 2568)
Effective April 13, 2025. Enables immediate blocking of suspicious transactions, cross-institutional data sharing to track fraud, and establishes a shared liability model where non-compliant institutions bear financial responsibility for victim damages in proportion to their negligence.
BOT IT Risk Management Guidelines (Refreshed Nov 2023)
Dictates backend security standards including AES 256-bit encryption for data at rest and in transit, and stringent Identity and Access Management (IAM) protocols for bank employees to prevent internal breaches.
Financial Institution Business Act B.E. 2551 (2008)
The foundational law that grants the Bank of Thailand statutory power to issue and enforce binding regulations across all commercial banks and financial business groups operating in Thailand.
How Our Testing Addresses BOT 4/2568
We validate each specific mandate of BOT 4/2568 through targeted security assessments aligned with the regulation's requirements.
BOT 4/2568 Compliance Checklist
Track your organization's readiness against the specific mandates of BOT Notification 4/2568.
Official References
Consult the original regulatory documents for full requirements.
Related Security Services
Complement your BOT compliance with these specialized security assessments.
Frequently Asked Questions
Common questions about BOT Notification 4/2568 mobile banking security requirements.
Ensure Your Mobile Banking App Meets BOT Requirements
Get a comprehensive security assessment aligned with BOT Notification 4/2568. Protect your customers and maintain regulatory compliance.
Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.