Thailand AML & Compliance Overview#
Thailand operates a risk-based AML/CFT regime anchored in the Anti-Money Laundering Act B.E. 2542 (1999) and administered by the Anti-Money Laundering Office. The framework has been progressively strengthened through amendments and subsidiary regulations, with expanding supervisory reach across financial institutions, designated non-financial businesses and professions (DNFBPs), and the emerging virtual asset sector.
Key Regulatory Institutions#
- Anti-Money Laundering Office (AMLO) — Primary AML/CFT authority and financial intelligence unit
- Bank of Thailand (BoT) — Central bank; supervises commercial banks and payment service providers
- Securities and Exchange Commission Thailand (SEC) — Regulates securities firms and virtual asset service providers
- Office of Insurance Commission (OIC) — Insurance sector supervisor
Core Legislation#
- Anti-Money Laundering Act B.E. 2542 (1999), as amended
- Counter Financing of Terrorism Act B.E. 2559 (2016)
- Emergency Decree on Digital Asset Businesses B.E. 2561 (2018)
- Revenue Code and Criminal Code (predicate offence provisions)
Compliance Requirements#
Reporting Obligations#
| Report | Threshold | Timeline |
|---|---|---|
| Suspicious Transaction Report (STR) | Activity-based | Within 30 days of suspicion |
| Cash Transaction Report (CTR) | THB 2,000,000 (~USD 55,000) | Per transaction |
| Cross-Border Cash Declaration | THB 450,000 (~USD 12,500) | At point of entry or exit |
Non-compliance penalties: Fines of up to THB 500,000; imprisonment of up to two years for wilful failure to report; licence suspension or revocation for persistent non-compliance.
Sanctions Regime#
Thailand implements UN Security Council sanctions as a matter of treaty obligation and maintains supplementary domestic watchlists administered by AMLO. Reporting entities are required to:
- Screen customers and counterparties against UN consolidated lists, OFAC SDN and non-SDN lists, EU restrictive measures lists, and the AMLO domestic watchlist
- Freeze assets of designated persons and entities immediately upon designation
- Report any matches or frozen assets to AMLO without delay
- Conduct ongoing monitoring to capture newly designated parties
There is no standalone domestic autonomous sanctions statute; the primary mechanism is the CFT Act, which gives effect to UN Security Council resolutions. Entities with international counterparties should apply the most restrictive applicable list.
Key Risk Typologies#
- Tourism-related cash layering through hospitality, currency exchange, and retail businesses
- Trade-based money laundering exploiting Thailand’s significant export and import volumes, particularly in electronics, gems, and agricultural commodities
- Casino and gaming complex risks in entertainment zones near the Myanmar and Cambodia borders
- Real estate purchases by foreign nationals used to layer proceeds, including nominee arrangements to circumvent foreign ownership restrictions
- Virtual asset exchanges and peer-to-peer platforms used for rapid conversion and layering
High-risk sectors: Tourism and hospitality, real estate, banking and money services, cryptocurrency exchanges, border trade zones
Data Protection & Record Keeping#
- Framework: Personal Data Protection Act B.E. 2562 (2019) (PDPA)
- Retention period: 5 years for financial records under the Anti-Money Laundering Act; 3 years for personal data under PDPA unless a longer period applies
- Data localisation: No blanket requirement, but cross-border data transfers require lawful basis under PDPA
- Breach notification: Within 72 hours of awareness to the Personal Data Protection Committee
Implementation Guidance#
Compliance Program Essentials#
- Risk-based customer due diligence aligned with AMLO Regulation No. 1/2562, including simplified CDD for lower-risk customers and enhanced due diligence for higher-risk relationships
- PEP identification and screening at onboarding and on an ongoing basis; enhanced scrutiny of domestic PEPs given Thailand’s governance environment
- Beneficial ownership verification for all corporate and legal arrangement customers; collection of ultimate beneficial owner details to the natural-person level
- Transaction monitoring calibrated to Thai baht thresholds and sector-specific typologies
- Annual AML/CFT risk assessment; staff training at onboarding and at least annually thereafter
Supervisory Trends 2025#
- AMLO expanding direct supervision of virtual asset service providers registered under the SEC’s Emergency Decree framework, including STR filing requirements for crypto exchanges
- Increased DNFBP oversight, with real estate agents, dealers in precious metals and stones, and legal professionals subject to more active AMLO inspection cycles
- Enhanced scrutiny of real estate transactions involving foreign buyers, including source-of-funds documentation requirements
- BoT advancing open banking and digital payments regulation, with corresponding AML/CFT expectations for new payment service providers
Thailand-Specific Compliance Considerations#
Key Red Flags:
- Large cash payments for real estate, particularly in Phuket, Pattaya, Chiang Mai, Bangkok, and other tourist-heavy areas
- Cryptocurrency-to-fiat conversions without documented source of funds or clear commercial rationale
- Casino chips or entertainment credit used to layer proceeds in border areas near Myanmar or Cambodia
- Foreign nationals purchasing high-value assets using offshore corporate structures or loan-back arrangements
- Currency exchange transactions just below the THB 2,000,000 CTR threshold (structuring)
- Tour operators or hospitality businesses receiving disproportionate revenue relative to capacity
Practical Guidance:
- Maintain dual-language (Thai and English) compliance documentation for regulatory examinations
- Build a direct reporting relationship with AMLO; the office publishes guidance and typology reports periodically
- For businesses in border provinces, apply heightened geographic risk ratings and document the rationale
- Virtual asset service providers should align with both SEC licensing conditions and AMLO AML/CFT obligations, which are administered concurrently
- Coordinate data protection obligations under PDPA alongside AML record-keeping to avoid conflicting retention practices