The Royal Decree on Measures for the Prevention and Suppression of Technology Crime B.E. 2566 (2023) was implemented on March 17, 2023. Its purpose is to mandate government agencies and financial institutions to collaborate in safeguarding citizens against fraudulent fund transfer scams and combatting criminals' evasion of transaction monitoring through the use of “mule accounts.”
While this Royal Decree empowers relevant agencies, including financial institutions and law enforcement, to suspend suspicious transactions and define criminal liability for the use of mule accounts, further measures are still necessary. These include providing assistance for victims of cyber fraud, particularly in cases involving call center scams and other forms of deception that trick victims into making financial transactions. The decree also mandates that financial institutions take responsibility for implementing systems to prevent financial damage and monitor customer transactions to prevent harm.
On January 28th, 2025, the Cabinet approved in principle The Royal Decree on Measures for Prevention and Suppression of Technology Crimes and Draft Cyber Security Maintenance Act in preparation for a legal update expected to be enacted in 2025.
What Is a Mule Account?
A mule account is a bank account that is opened by one person but used by another, typically a criminal, to receive and transfer funds obtained through illegal means. This allows the actual perpetrator to conceal their identity.
These mule accounts are often acquired with a copy of the account holder's ID card and an activated SIM card. This enables criminals to quickly link personal information with mobile banking services for online transactions. As a result, the 2023 Decree criminalizes the use and provision of these bank accounts and SIM cards (known as "SIM mules") for illicit purposes, including those who obtain them for criminal use.
Key Provisions of the Royal Decree on Measures for Prevention and Suppression of Technology Crimes B.E. 2566 (2023)
1. Data Sharing and Access
Financial institutions, telecom service providers, relevant businesses, and agencies (such as the Royal Thai Police and the Anti-Money Laundering Office - AMLO) are empowered to access and share customer account and transaction data. The Office of The National Broadcasting and Telecommunication Commission (NBTC) is responsible for developing a centralized database of user registration and SMS information to support investigations and preventive efforts.
2. Suspension of Suspicious Transactions
Financial institutions and payment service providers must suspend transactions and input data into a centralized system so all subsequent receivers are alerted and can block further transfers. Suspension applies in these scenarios:
- Suspicion detected by the financial institution or business itself.
- Information received from the central exchange system.
- Notification from a criminal investigation officer or the Secretary-General of the AMLO.
- Notification from a victim stating their account was used in technology-related crime.
A transaction can be temporarily suspended for 7 days. If no evidence or court order arises within this period, the suspension must be lifted.
3. Filing Complaints and Investigative Authority
Victims of scams can report to banks or financial institutions via the Financial Fraud Reporting Center to temporarily block suspicious transactions. They can also file complaints with any police station, the Cyber Crime Investigation Bureau, or online via www.thaipoliceonline.com within 72 hours. Investigators are then authorized to instruct financial institutions to freeze funds within 7 days.
4. Criminal Offenses and Penalties Related to Mule Accounts and SIM Mules
- Allowing others to use one's bank account, electronic card, or e-wallet without intending to use it oneself (Section 9).
- Facilitating, advertising, or promoting the sale, rental, or lending of such accounts or cards (Section 10).
- Facilitating or advertising the sale of mobile phone numbers (Section 11).
The current decree does not impose obligations on P2P platform operators to reject suspicious accounts or suspend services linked to criminal activity, nor does it compel mobile providers to block SIM cards used in crimes. It primarily emphasizes data sharing. Therefore, it is insufficient in dealing with emerging forms of digital fraud using e-money, digital assets, or rogue phone numbers, and it lacks provisions for victim compensation.
Highlights of the Draft Cyber Security Maintenance Act.
The Draft Cyber Security Maintenance Act (an amendment to the 2023 Decree) addresses five key areas:
1. Suspension of Suspicious Phone Numbers
Empowers the Office of The National Broadcasting and Telecommunication Commission (NBTC) or mobile service providers to temporarily suspend the service of suspicious mobile numbers either upon detection or when receiving information suggesting involvement in criminal activity.
2. Expand the authority to take action against asset-related platforms involved in criminal activities
Platforms are held accountable for criminal financial transactions. For example, Peer-to-Peer Lending (P2P) platforms would be prohibited from facilitating or offering services involving the trading of cryptocurrencies or utility tokens not primarily meant for consumption, aiming to curb money laundering via digital assets.
3. Faster Repayment for Victims
Authorizes the AMLO’s Transaction Committee to return funds to victims without requiring court proceedings, thus expediting the reimbursement process.
4. Greater Responsibility for Financial Institutions and Mobile Providers
Expands liability to include relevant service providers and social media platforms if they fail to exercise due diligence, resulting in harm to victims of cybercrime.
5. Add penalty provisions for digital asset trading or exchange service providers and those who trade personal data related to online criminal activities
Introduces penalties for digital asset service providers (including crypto and token exchanges) who launder criminal proceeds through digital currencies. Also penalizes individuals trading personal data involved in cybercrimes.
Article by: Miss Piyayon Plianpadoong, School of Law, University of Phayao
References:
1. The Royal Decree on Measures for the Prevention and Suppression of Technology Crime B.E. 2566
2. Draft Royal Decree on Measures for the Prevention and Suppression of Technology Crime (No. ...) B.E. ...
3. TBA - Understanding Mule Accounts
4. Thai PBS - Decree on Cybercrime Now Effective
5. Thairath - New Cyber Decree Increases Liability for Banks and Telcos
6. Policy Watch - Cyber Decree Enforcement in Feb 2025
7. Thai Government News - Emergency Powers Against Cybercriminals
8. BBC Thai - Will the New Cyber Decree Help Stop Call Center Scams?