Financial Crime World

Policy Guidelines for Secure Payment Systems in Thailand

Section 3: Backup and Continuity Planning

Overview

To ensure the availability of payment systems, service providers or business providers must create backups of important information and establish guidelines for backup procedures.

Requirements

  • Create backups of important information to ensure availability.
  • Establish guidelines for information backup, including:
    • Frequency
    • Media (e.g., hard drives, cloud storage)
    • Storage locations
    • Preservation methods
    • Restoration procedures
  • Regular validation of backup systems is required at least annually.

Section 3.5: Business Continuity Plan

Overview

Service providers or business providers must develop a business continuity plan for highly important payment systems, designated payment systems, or designated payment services.

Requirements

  • Develop a business continuity plan that includes:
    • Analysis of risks and operations
    • Recovery time objectives
    • Written procedures and details of operation in case of suspension
    • Responsible persons, authorized personnel, communication plans, and call trees
    • Implementation practices and manual for problem-solving
    • Reserved locations for replacement operations
  • Regular training and testing are required.

Section 3.6: Maintenance of IT Systems

Overview

Service providers or business providers must provide regular maintenance to ensure continuity and good condition of equipment.

Requirements

  • Provide regular maintenance to ensure continuity and good condition of equipment.

Section 4: Security Audit of Information Technology Systems

Overview

Annual security audits are required to ensure the policies and measures on security of information technology systems are efficient and secure.

Requirements

  • Annual security audits are required.
  • A copy of the audit result must be submitted to the Bank of Thailand (BOT) within 45 days from the completion date.

Section 5: Review or Improvement on Security Measures of Information Technology Systems

Overview

Service providers or business providers must review or revise security measures at least annually or when there is a change causing an impact on policies and measures.

Requirements

  • Review or revise security measures at least annually or when there is a change causing an impact on policies and measures.
  • Training and education should be provided to related personnel.
  • Readiness of security measures for cyber threats, including protection, detection, response, and recovery, should be ensured.