Unofficial Translation With collaboration between the Bank of Thailand and the Association of

International Banks This translation is for convenience of those unfamiliar with Thai language.

Please refer to the Thai text for the official version.

______________________

Bank of Thailand Notification No. SVG. 1/2561

Re: Regulations on Market Conduct

______________________

1. Rationale

The Bank of Thailand attaches great importance to encouraging financial service providers to have responsible and fair market conduct, by emphasizing that (1) Customers are assured that service providers intend to provide fair and sincere services; (2) Customers receive appropriate and clear advice; (3) Customers are given products or services with fair prices and conditions; (4) Customers can conveniently use service, while their problems are appropriately taken care of; and (5) Service providers help customers to realize their rights and responsibilities.

However, as financial institutions recently provide more complicated financial services, and due to the development of new technologies and the increased reliance on fee-based income, there is an increase in service deficiencies in many aspects and customer complaints, which are caused by the unfair offering of products, forced selling, presentation of unclear product and service information leading to misunderstanding, the offering of products which may invade customer privacy, the unfair conditions, prices and terms of product and service agreements, as well as the disclosure of customer data without consent.

This Notification is essential part of encouraging service providers to operate sustainable business and have appropriate management to ensure that customers are well protected, while the security and well-being of the public are preserved and for the purposes of supervision. In order to achieve those objectives, , there must be: (1) The robust supervision – which covers the formulation of regulations that focus on the enhancement of the management of service providers to ensure long-term service quality, while the regulations, themselves, must be clear, practical, do not cause too

2

much burden, integrated as the regulations are specified in one particular notification (rather than in several notifications), legally enforceable and practically implemented, promote the transparent disclosure of information and facilitate the effective cooperation with other supervisory agencies; (2) Encouraging service providers to realize and place importance on fair market conduct, which is one of the key factors that promote the sustainable growth of income; (3) Encouraging service providers to make available information, both product information and service quality data, so that customers can choose the products that are appropriate to their needs with fair treatment, while there must be channels for giving assistance to customers as they encounter any problems.

This Notification sets out the frameworks, minimum requirements and examples of “acceptable/unacceptable” behaviors, which can be used as operating practices for a wide range of service providers, namely commercial banks, finance companies, credit foncier companies, companies within the financial business groups, non-bank credit card companies, and non-bank personal loan companies under supervision. The regulations also cover all service operation processes (end-to-end process), which can be categorized into the following 9 market conduct management systems: (1) Corporate culture and roles and responsibilities of board of directors and senior management; (2) Product development and client segmentation; (3) Remuneration scheme; (4) Sales process; (5) Communication and training; (6) Data privacy; (7) Problem and complaint handling; (8) 3 lines of defense; (9) Operation and business continuity.

In addition, this Notification also requires service providers to disclose product information and service quality data so that customers have relevant information and, accordingly, choose the products or services that are appropriate to their needs. As any particular service provider cannot comply with the minimum requirements, the Bank of Thailand may impose any other conditions to prevent an effect on a wide range of customers. On this, the regulations as specified in this Notification are mostly consistent with the regulations as specified by the Office of the Securities and Exchange Commission with regard to the sales of mutual fund/debt securities products and related services to reduce the burden of the service providers in complying with the inconsistent regulations.

2. Statutory Power

By virtue of Section 4, Section 36, Section 38, Section 39, Section 40, Section 41, Section 56, Section 58 and Section 71 of the Financial Institution Business Act B.E.2551, the Bank of Thailand hereby issues regulations on market conduct, as

3

specified herein, which shall apply to financial institutions and companies within the financial business groups

By virtue of Clause 5 and Clause 8 of the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 dated 11 November 2002 (B.E.2545) and the amendments thereof, the Bank of Thailand hereby issues regulations on market conduct, as specified herein, which shall apply to non-bank credit card companies

By virtue of Clause 5 and Clause 8 of the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 (Personal loans under supervision) dated 9 June 2005 (B.E.2548) and the amendments thereof, the Bank of Thailand hereby issues regulations on market conduct, as specified herein, which shall apply to non-bank personal loan companies under supervision

3. Repealed Policy Statements and Circulars

The following policy statements and circulars shall be repealed:

3.1 The Policy Statement of the Bank of Thailand Re: Presentation of Banking Product Information dated 1 October 2013 (B.E.2556)

3.2 The Policy Statement of the Bank of Thailand Re: Supervision of Sales of Securities and Insurance Products through Commercial Banks dated 21 November 2012 (B.E.2555)

3.3 The Circular No. BOT.FPG.(23) Wor.201/2558 Re: Request for Cooperation in Notifying Any Changes to Service Conditions to Customers dated 6 February 2015 (B.E.2558)

3.4 The Circular No. BOT.FPG.(23) Wor.202/2558 Re: Request for Cooperation in Notifying Any Changes to Service Conditions to Customers dated 6 February 2015 (B.E.2558)

4. Scope of Application

This Notification shall apply to:

4.1 All financial institutions according to the Financial Institution Business Act B.E.2551 and the amendments thereof

4

4.2 All companies within the financial business groups according to the Bank of Thailand Notification Re: Consolidated Supervision and related notifications, excluding nano-finance companies under supervision, e-payment companies, asset management companies and companies that operate specific business under supervision of other supervisory agencies e.g. securities companies, asset management companies, life insurance companies, non-life insurance companies

4.3 All non-bank credit card companies according to the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 dated 11 November 2002 (B.E.2545) and the amendments thereof that are not companies within the financial business groups according to the Bank of Thailand Notification Re: Consolidated Supervision and related notifications

4.4 All non-bank personal loan companies under supervision according to the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 (Personal loans under supervision) dated 9 June 2005 (B.E.2548) and the amendments thereof that are not companies within the financial business groups according to the Bank of Thailand Notification Re: Consolidated Supervision and related notifications

5. Contents

5.1 Definitions

“Financial institution” means a commercial bank, finance company, or credit foncier company according to the Financial Institution Business Act.

“Financial business group” means a financial business group according to the Bank of Thailand Notification Re: Regulations on Consolidated Supervision and related notifications.

“Service provider” means one of the following financial institutions or companies that is the owner of products, or the advisor or seller of products:

(1) A financial institution

(2) A company within the financial business group that is not a nano-finance company under supervision, e-payment company, asset management company, and company that operates specific business under supervision of other

5

supervisory agencies e.g. securities company, asset management company, life insurance company, non-life insurance company

(3) A non-bank credit card company according to the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 dated 11 November 2002 (B.E.2545) and the amendments thereof that is not a company within the financial business group according to the Bank of Thailand Notification Re: Consolidated Supervision and related notifications

(4) A non-bank personal loan companies under supervision according to the Notification of the Ministry of Finance Re: Businesses Subject to Approval According to Section 5 of the Revolutionary Council Decree No.58 (Personal loans under supervision) dated 9 June 2005 (B.E.2548) and the amendments thereof that are not companies within the financial business groups according to the Bank of Thailand Notification Re: Consolidated Supervision and related notifications

“Product” means any financial product and service that a service provider is the owner, advisor or seller, including the product under supervision of other supervisory agencies e.g. debt securities, mutual fund units, life and non-life insurance.

“Customer” means a natural person or juristic person that is the existing user of a financial product, including a person who inquires about product information, a person who is informed of product details through any media, or a person who is invited or offered by a service provider to purchase a financial product.

“Vulnerable customer” means a customer who may need cautious communication and service from a service provider e.g. an elderly customer with the age of 60 years or more, a customer with limited financial literacy or limited experience in using the product, or a customer with communication or decision-making disorder e.g. a person with hearing or visibility impairment or ill health.

5.2 Principles

The key principles of this Notification is to ensure that customers are fairly treated and protected, while the security and well-being of the public are preserved, as follows:

5.2.1 Customers are assured that service providers intend to provide fair and sincere service; and, in providing service to retail customers, there should be basic

6

products and services so that a wide range of customer can access the service at reasonable prices.

5.2.2 Customers receive advice that is appropriate to their needs, financial capability and understandability, while the customers must not be disturbed and receive clear, complete and sufficient information to make a decision with true understanding, before, during and after buying the products, and that information can conveniently be used for making a comparison between different products of the same or different service providers.

5.2.3 Customers are provided fair products and services, in respect of prices and conditions, that are appropriate to their needs and capability, and meet their expectations, while data and assets of the customers are securely prevented from inappropriate use.

5.2.4 Customers are provided convenient and fair after-sale service e.g. customers can conveniently change the service, product and service provider, file a complaint, or ask for redress.

5.2.5 Customers have understanding of their rights and duties for the use of financial services, as service providers have a leading role in giving financial knowledge to their customers.

5.3 Regulations

Regulations on market conduct consist of management standards on 9 management systems, disclosure of product and service quality data, imposition of additional conditions, and deferral or termination of service. On this, as service providers enter into an outsourcing arrangement with third-party service providers or appoint the agents, the service providers must take responsibility as they provide the service themselves.

5.3.1 Management systems – in providing service to retail customers and small-sized enterprises that are likely to be unfairly treated, service providers must have management in accordance with regulations on the nine market conduct management systems (as detailed in Attachment 1 – 9), the essence and intended outcome of each management system are as follows:

(1) Corporate culture and roles and responsibilities of board of directors and senior management – the board of directors and senior management of service providers must have responsibility for promoting fair market conduct in a

7

concrete and effective way, while fair market conduct must be treated as the core of corporate culture (as detailed in Attachment 1).

(2) Product development and client segmentation – service providers offer products that are appropriate to needs, financial capability, and understandability of each category of their target customers, while those products are also appropriate to sales skills of their staff, operating systems as well as capability to control the sales quality and fair treatment of customers, and the customers are offered fair products, in respect of prices and conditions (as detailed in Attachment 2).

(3) Remuneration scheme – service providers set out a remuneration scheme and punitive measures by placing importance on service quality for all levels of staff involved in providing service to customers, including the management with oversight responsibility, in order to promote fair market conduct (as detailed in Attachment 3).

(4) Sales process – customers are offered products and services by not invading their privacy, receive all important information that is not exaggerated or twisted and sufficient to make a decision with true understanding (as well as sufficient to decide if they should continue using the service), and receive products or services that are appropriate to their needs, financial capability and understandability (as detailed in Attachment 4).

(5) Communication and training – all levels of staff involved in providing service to customers are communicated so that they realize the importance of fair market conduct, as well as receive sufficient training so that they have knowledge to perform their duties, which will ensure fair market conduct and promote the actual implementation (as detailed in Attachment 5).

(6) Data privacy – customer data must be safeguarded, as service providers place importance on customer privacy and data security, while the transmission of customer information to other entities must not invade customer privacy (as detailed in Attachment 6).

(7) Problem and complaint handling – the handling of customer problems and complaints as well as redress package are clear, timely, independent, effective and fair (as details in Attachment 7).

(8) 3 lines of defense – for customer service management, there must be operating processes, control systems, and an audit of the operations that give

8

priority to fair and sound treatment of customers, while there must be a system that can effectively detect risks and irregularities in order to prevent any potential losses (as detailed in Attachment 8).

(9) Operations and business continuity – for customer service management, there must be operating systems, risk management and business continuity plans, under ordinary circumstances and in the event of an emergency, to ensure that customers’ instructions or wishes have accurately, completely and timely been responded and that the customers are provided undisrupted services and fairly treated (as detailed in Attachment 9).

For other categories of customers e.g. medium and large sized enterprises, service providers must apply above regulations appropriately to the likelihood that each category of customers may be treated unfairly, which may vary according to the category of customers or products, by setting out internal policies and processes as well as having in place the implementation control, while those policies and processes must be reviewed to ensure their practicality on an ongoing basis.

5.3.2 Disclosure of data – for the purposes of customer protection and preservation of security and well-being of the public, service providers must disclosure the following data:

(1) Data related to supervisor-imposed fines and accusations as service providers violate or fail to comply with this Notification; for service providers that are financial institutions according to Clause 4.1 or companies within the financial business groups according to Clause 4.2, they shall comply with the following regulations:

(1.1) As the law enforcement committee of the Bank of Thailand imposes fines on or makes an accusation against any of the above service providers, the service provider must disclose that information on its website within 3 days from the day the Bank of Thailand discloses such information. The disclosed information must be of the same set as disclosed by the Bank of Thailand, which can be clearly and easily accessed from the homepage of the service provider’s website.

(1.2) As the inquiry officials or court impose fines on or prosecute any particular service provider due to the accusation made by the Bank of Thailand according to Clause 5.3.2 (1.1), the service provider must disclose that information on its website within 5 days from the day the service provider is informed

9

of those fines or charges by the trial court, the appeal court, and the supreme court, as the case may be, using the wording as approved by the Bank of Thailand.

On this, for service providers that are credit card companies according to Clause 4.3 or personal loan companies under supervision according to Clause 4.4, the Bank of Thailand will further require them to disclose the above information.

(2) Service quality data and product information – service providers shall disclose service quality data, classified according to the type of products and problems, in the format that is easy to understand, as well as disclose product information, especially features, conditions and key limitations so that customers understand the details of products and can easily make a comparison, according to the regulations and forms to be further specified by the Bank of Thailand.

5.3.3 Additional conditions, deferral and termination of service – the Bank of Thailand may impose additional conditions, defer or terminate certain part or the entire service in the following cases:

(1) Service providers violate or fail to comply with the regulations as specified in this Notification.

(2) Other cases that the Bank of Thailand deems that they may affect the security and well-being of the public.

According to the power of the Bank of Thailand as given by laws

6. Effective Date

This Notification shall come into effect from the day following its publication in the Government Gazette onwards.

Announced on 12th January 2018 (B.E.2561)

(Mr. Veerathai Santiprabhob) Governor

Bank of Thailand

10

Financial Consumer Protection and Market Conduct Department Tel. 0 2356 7339, 0 2283 5834 Fax. 0 2356 7585

1/1

Attachment 1

Minimum standards on corporate culture, and roles and responsibilities of board of directors and senior management

The board of directors and senior management of service providers must have responsibility for promoting fair market conduct in a concrete and effective way,

while fair market conduct must be treated as the core of corporate culture

1.1 Set out a policy and strategic plan that reflect business practices that highlight the establishment and conveyance of fair market conduct culture in writing, where the board of directors and senior management must have leading roles and responsibilities, and the board must approve such policy. The fair market conduct culture must be communicated and conveyed to all related units and staff, and be implemented consistently throughout the organization and units involved in providing financial services to customers

1.2 Assign the top executive to have responsibility for promoting fair market conduct in an effective and concrete way; this responsibility may be delegated to the executive or a working group chaired by the executive ranked no lower than 3 levels from the top executive to ensure that the oversight of market conduct is systemically and consistently carried out and can respond to current circumstances, while the overall results and risks can be comprehensively assessed, as well as any gaps can be rapidly and effectively been identified and closed

1.3 Assign related persons or units to have responsibility for market conduct operations or cooperation for each “market conduct management system”, by clearly specifying duties, responsibilities and controller, while there must be the segregation of duties between involving units to ensure the effective verification, balance of power, independent operations, and to prevent a conflict of interest of involving staff or units

1.4 Have in place adequate staff, in respects of quantity and quality, which should be consistent with business volume and ensure that they can effectively perform their duties, while there must be those responsible for supervising, controlling and monitoring their operations; in addition, staff’s knowledge and competencies must be improved on an ongoing basis in response to the current circumstances

1.5 Communicate to all related staff and external stakeholders to ensure that they are informed and aware of the intention of the service provider to promote fair market conduct; however, for a particular service provider, a shift of staff’s thought patterns

1/2

may be required, therefore, the board of directors and senior management must demonstrate their commitments to promoting fair market conduct and must have a leading role, while those responsible for internal control function, compliance function, and audit function must assess the improvements and achievements of the staff involved in the market conduct management systems

1.6 The board of directors and senior management effectively monitor and control the overall business operations to ensure that they meet market conduct regulations, as there must be a regular report on this matter or by monitoring the trend of complaints, results of customer satisfaction survey, results from conducting mystery shopping, as well as compliance report

2/1

Attachment 2

Minimum standards on product development and client segmentation

A service provider offers products that are appropriate to needs, financial capability, and understandability of each category of their target customers, while those products are also appropriate to sales skills of their staff, operating systems as well as capability to control the sales quality and fair treatment of customers, while the customers are offered fair products, in respect of prices and conditions

2.1 There must be a process for developing or selecting products that will be sold to customers by considering the highest benefits of customers; in developing or selecting appropriate and quality products to be sold to customers, the following matters should be considered:

2.1.1 The products must be appropriate to needs, financial capability, and understandability of each group of target customers e.g. by considering if the customers have intention to buy the products with these particular features or conditions, if the customers have ability to understand the features of the products, or if the customers have financial capability to take any obligation or risks from using the products (e.g. a service provider must not sell structured products, such as unit-linked products, to a wide range of customers or customers that do not have ability to understand the products). On this, the target customers must understand the features of products and services, and be able to easily compare the conditions and prices of products and services.

2.1.2 The appropriateness of conditions and benefits of the products, as their prices and fees must be appropriately set and reflect actual costs, while the customers must not be exploited, and a service provider must not be in collusion with other service providers to set the prices, features and conditions that are disadvantageous to customers, especially setting the interest rates and fees that do not reflect actual costs. On this, the customers must be able to easily assess and compare the conditions and prices of products and services.

On this, a service provider must not cross-sell the products, except the sale of the other products that are for hedging risks of the main products to a significant extent, e.g. selling fire insurance together with a mortgage loan, selling car insurance together with car hire purchase. And, providing products without request from customers (pre-approved) are not allowed e.g. issuing a credit card or extending a personal loan to a customer without the customer’s request. In providing certain

2/2

services to a particular group of customers e.g. safe deposit box service, a service provider must set reasonable conditions and prices and clearly disclose them e.g. on the service provider’s website.

In addition, a service provider that focuses on retail customers, it should have in place basic products and services to increase the accessibility to financial services of those who may need special care e.g. elderly customers, disabled persons as well as customers with low level of income, at reasonable prices, according to the regulations to be further specified by the Bank of Thailand.

2.1.3 The appropriateness of sales channel e.g. branches or websites, especially for the sale of complicated products that require clear and cautious communications, to ensure that customers have sufficient and correct information for making their decisions

2.1.4 Capacity of the sales staff to understand the features of products and to communicate the product information and give advice

Example: If most of the sales staff of any service provider do not understand the features of structured products e.g. unit-linked products or are not capable of explaining the clear features of products to customers, a service provider must limit the sale of those products to only branches with capable sales staff and must not sell the products at all branches to prevent the improper sale of products.

2.1.5 A practice and management plan for communications of product information and procedures so that sales staff and those at points of sales can provide accurate and complete product information to customers

2.1.6 Operating systems, sales process, and control, oversight and audit (3 lines of defense) that can assure the effective and quality sale of products

2.1.7 Causes of product and service problems (past experiences) to ensure that the products have been improved

2.2 In developing or selecting products, related persons/units should take part, and the decision must be based on comprehensive supporting information, while the discussions must be recorded and the final judgment is made by responsible management

2/3

Example: Related persons should consist of those from the legal function, risk management function, compliance function, internal audit function, operations function, and sales function

2.3 In selecting products that a service provider does not develop those products itself, the service provider must conduct product due diligence by considering their nature, conditions and associated risks, with clear and deep understanding of the products. If a service provider finds that there is inadequate information to conduct due diligence for any particular products, the service provider must not sell those products.

2.4 Products must be classified according to their complexity, risks or any criteria, and there must also be the classification of customers (client segmentation) in order to decide appropriate products for each category of customers, sales procedures, communication and staff training, control and reviews of sales practices.

2.5 There must be the implementation of measures to prevent the sale or offering of illegal products or business arrangements that may lead to risks or conflict of interest issues

2.6 There must be a fair practice for addressing customer issues or redressing any damage to customers from the use of products

3/1

Attachment 3

Minimum standards on remuneration scheme

A service provider sets out a remuneration scheme and punitive measures by giving top priority to quality of service, which apply to all levels of staff involved

in providing service to customers as well as the management with oversight responsibility to promote fair market conduct

3.1 A service provider shall set out the structure of remuneration, for each individual staff member or for a group of staff members (key performance indicator – KPI), incentives, as well as punitive and non-punitive measures, which strictly apply to all levels of staff taking part in all market conduct management systems, including management with oversight responsibility, while the punishment must be imposed appropriately to the levels of violation.

3.2 In determining the structure of remuneration, punitive and non-punitive measures, the fair market conduct must be considered, especially those responsible for designing the products, setting out requirements and conditions of the products, and sales documents should receive remuneration packages depending on the accuracy, clarity and fairness of those conditions and sales documents, while those responsible for selling the products and for sales supervision must receive remuneration packages depending on the quality of sales as sales professionals (non-sales KPI), not depending only on their sales volumes (sales KPI) or not depending on sales target of a particular type of products (product-focused approach), which may lead to improper sales, low-quality advice or mis-selling.

Example: A service provider may assign a particular independent unit to review and evaluate the quality of service of sales staff and the head of sales function e.g. by grading the quality of service of sales staff and, accordingly, using those grades as one of the factors for determining commission for sales staff. That unit may randomly review evidence or sales documents or inquire information from customers after they have purchased products and services to find if there is an indicator of any mistakes in the offering of products or services that may affect customers e.g. sales staff collect incomplete customer information, give inappropriate advice, cannot explain or give sufficient product information, or used to violate the regulations.

3.3 There must be an assessment of risks from the remuneration structure and from the implementation of punitive and non-punitive measures on an ongoing basis, by

3/2

taking into consideration customer complaints about financial services from any other sources e.g. risks from sales stimulation, risks from providing incomplete product information or warnings, risks from selling inappropriate products, risks as sales staff do not have knowledge or qualifications to give advice or sell products to customers. On this, a service provider must have measures or tools for preventing and managing those risks, and must promptly make modifications to those measures or tools in response to any significant issues.

4/1

Attachment 4

Minimum standards on sales process

Customers are offered products and services by not invading their privacy, receive all important information that is not exaggerated or twisted and sufficient

to make a decision with true understanding (as well as sufficient to continue using the service), and receive products and services that are appropriate to their

needs, financial capability and understandability

4.1 Sales and service preparation process

4.1.1 Readiness of sales operating systems

(1) There must be sales procedures that are comprehensive, clear and appropriate to the type of products and sales channels, by preparing sales instructions that specifies the acceptable and appropriate roles and responsibilities of sales staff, while the presentation procedures must be appropriate to the nature of each category of customers, as well as customer needs, financial capability, and understandability. On this, a service provider must regularly review the sales procedures to ensure that they are still appropriate under the current circumstances e.g. there must be a meeting between the branch manager and sales staff to exchange any findings in order to make further improvements to sales operations.

(2) There must be systems or tools that promote the effectiveness of a sales process e.g. online devices, computer software, sales forms/documents and help desks. Those systems or tools must be reviewed to ensure that they are still appropriate under the current circumstances.

(3) The scope of the operations of sales staff must be limited, as “dos” and “don’ts” behaviors which must be communicated to all sales staff at sales or service points. Where a service provider wishes to provide service to customers at any particular sales or service point but without qualified sales staff, the service provider must put in place any other supporting system to ensure that customers using service at that service point receive complete, accurate and fair service.

(4) The presentation of products and services must help customers to differentiate if any particular product is the main product or product of other service provider to ensure that the customers are not confused or misunderstood e.g. the customer misunderstands that the purchase of insurance is to make deposits.

4/2

Example: In selling deposit products, capital market products or insurance products, a service provider may separate the sales areas, display a banner or sign over the counter, or prepare sales documents or instructions or descriptions, or use any other processes.

(5) There must be systems, tools and processes to ensure that the sale of products and services does not invade customer privacy, while customer information is acquired legally, in accordance with the internal policy of the service provider, especially face-to-face sales and tele-sales.

Example: A service provider specifies the timeframes and maximum times that it will contact each customer, sets out a practice if customers are not interested in the products, implements punitive measures for interfering or forced sales, puts in place a do-not-call list system (and regularly updates the list) for the customers who do not want to be contacted, creates a website or email address for publicizing the products and for customers who are interested in the products can give their telephone numbers so that the service provider can, later, offer the products.

(6) In approaching new customers, their contact information must be legally acquired, in accordance with the internal policy of the service provider. If customers enquire about the source of their information, a service provider must “clearly and promptly” give an explanation of the source of the information that the customers have given their consent e.g. at once or no more than 3 days, and this must not cause any other burden to the customers e.g. do not inform customer to ask call center by themselves.

(7) In offering products and services to customers that a service provider contacts customers itself e.g. tele-sales, email or SMS marketing, the service provider must clearly inform the customers that they have rights to decline any communications from the service provider and also inform the channels for cancelling those communications. Where any particular customer chooses to decline any communications from a service provider, the service provider must arrange to fulfill the customer’s request without delay e.g. within 24 hours after the request is received. Under certain circumstances as deemed necessary, if the customer’s request cannot be fulfilled “immediately”, a service provider must arrange to cancel all communications to the customer without delay e.g. within 7 days from the day the service provider receives the request (and the request must be completely fulfilled without delay).

4/3

Example: For tele-sales, a service provider must require its sales staff to notify customers, as part of the conversation, that they can decline any communications from the service provider. If a service provider sets a “do-not-call” timeframe (after this period the call can be made again), it must notify this to customers and give the option for customers to permanently decline all communications.

(8) In case of tele-sales, there must be a system for tracking the names of sales staff who have contacted customers, telephone numbers, and the names of customers that have been contacted, as that information will be used to verify if a service provider has legally acquired contact information of customers according to its internal policies. In addition, that information can be used as references in case where there are customer complaints or issues.

(9) There must be a system or process to verify the quality of sales through any channels to ensure that those sales are not the forced sales, fraudulent sales and intrusive sales, and are transparent e.g. conducting tele-sales with a voice recording system, putting in place call back/welcome call service.

4.1.2 Selection of sales staff

(1) Sales staff must have knowledge and understanding of products they are going to sell, and also have sufficient knowledge and competence appropriate to the type of products they are going to sell. The recruitment and selection of sales staff must be based on educational background, knowledge, attended training courses, and sales skills.

(2) There must be a process to ensure that the recruited sales staff have knowledge and ability to explain the features of products they are going to sell, especially products that may carry higher risks or are more complicated than any other products, which is rather difficult for the sales staff to explain those features to customers. In addition, there may be an additional process for selection appropriate sales staff e.g. the service provider may assign a particular group of sales staff to offer complicated products to customers, where those staff may have experiences in selling products that carry higher risks or are complicated than any other products, have specific knowledge, have capability to learn the features of products that carry higher risks or are complicated than any other products, have good communication and presentation skill, and have a good service attitude (service mind).

4/4

(3) If a service provider sells financial products under supervision of other supervisory agencies e.g. mutual fund units, debt securities, life or non-life insurance, it must communicate to customers that the sales staff that the customers communicate with or ask for product information have been appointed for selling those products e.g. placing an “updated” list of sales staff at the points of sale, placing a banner over the sales counters, requiring sales staff to wear the badges, so that the customers can clearly notice them, while the sales staff should identify or communicate to customers about the scope of products or services that they are able to sell or provide.

Example: Where a service provider assigns Mr.A to sell or provide uncomplicated products and services or the main products of the service provider, if, while selling or providing those products and services, the customer wishes to buy other complicated products or products under supervision of other supervisory agencies, which Mr.A is ineligible to sell, Mr.A must inform this to the customer, and the service provider must assign other eligible sales staff to sell those products to the customers.

4.1.3 Supporting tools (that help describe the features of products)

There must be tools that help sales staff to describe the features of products so that customers are easily informed and understand those features, where all information of products must be indicated, including conditions, rights, benefits and warnings – which must be accurate, clear, not exaggerated, twisted and sufficient for customers to make their decisions. Those tools may be in the form of sales sheets, advertising media, and for products that carry higher risks or are complicated than any other products, a service provider may use other appropriate media. In selling products through channels that sales staff cannot directly communicate with customers e.g. selling products on the internet, the information can be presented in other forms which ensure that customers must receive sufficient product explanations.

4.2 Sales and service processes

Sales and service processes must be appropriate to the nature of business operations and each type of services, as follows:

4.2.1 Data collection and customer analysis

Before selling products to customers, a service provider must have the following process:

4/5

Customer segmentation and know your customer (KYC) process

(1) Specify customer segmentation approaches e.g. retail customers classified as vulnerable customers, so that the service provider can offer products that are appropriate to each type of customers, as well as provide information or warnings that are appropriate to each type of customers

(2) There must be procedures and systems for acquiring and knowing customer information; and the service provider must conduct a KYC process to ensure that it knows the customers’ identities, including customers’ needs, financial capacity, and understandability so that it can give appropriate explanations and offer appropriate products, which would help prevent the involvement in any illegal acts or disputes afterwards.

(3) If a service provider receives insufficient customer information or finds that certain customer information is suspicious so that it cannot identify the true identity of any particular customer, it must not provide service to that customer.

(4) In selling products, sales staff must not assume that any particular product fits all customers within the same segmentation and must offer products based on each customer’s qualifications and information, which may include other factors e.g. customer’s age, experiences in using financial services, intentions and financial limitations, therefore, this particular product may not fit all customers and this assumption may lead to the inappropriate sales of products.

Customer information verification system

There must be a verification system to ensure that customers give information by themselves. All related documents must be signed by customers or their authorized signatories, while customer data must be regularly reviewed and updated.

4.2.2 Presentation of product information

(1) There must be a system that will ensure that customers are offered choices of products that they are interested in and key distinctions, as well as explained and provided with a product sales document that summarizes key features of products, completed details of conditions, benefits and warnings (minimum information to be disclosed is specified in Attachment 4.1). The product information must be accurate, clear, not exaggerated, twisted and sufficient for customers to make their decisions, and the product conditions and warnings must be highlighted, including

4/6

a distinction between the main products of the service provider and those of other service providers e.g. a distinction between deposit products and capital market or insurance products should be highlighted (e.g. issuers, features), as well as other conditions e.g. if customers are required to buy any other products as prerequisite for entering into the products they have requested to use. Customers must have rights to buy the main products or comparable products separately from the supplementary products.

On this, a service provider must have a process to verify the compliance with the regulations e.g. requiring the staff offering products to customers to sign off the sales documents, to ensure that the sales are not the forced sales, fraudulent sales and intrusive sales, and are transparent.

Example: In presenting product information, a service provider must “not”: - inform that the product is “free”, is a “giveaway” or is “free of charge” if,

in reality, that product is embedded with certain expense or condition that makes it “not for free”, “not a giveaway” or “cost something” in the future

- inform that the product, including marketing gifts, is sold or provided over a limited period or there is a limited supply, which is apart from the fact, in order to urge the immediate purchase

- urge or encourage a customer to purchase the product by any approaches e.g. arranging a market campaign by giving unreasonable rewards, gifts or refunds

- inform that the product without a principal guarantee is a deposit product

- make customers expect that the product offers the remarkably high rate of return, that, in fact, is not possible

- make customers expect any other gifts or benefits that, in fact, do not exist

(2) There must be additional operating procedures for offering products that carry higher risks or are more complicated than any other products, where customers must be informed that those products cannot be sold without proper advice, while special processes may be carried out. Sales staff must explain, emphasize, and warn customers of important conditions, risks or complexity of the products comparing to any other products.

4/7

(3) In selling products and services through digital channels e.g. internet banking or mobile banking, a service provider must set out sales/service approaches or practices that are appropriate to the channels, while there must be the presentation method, control and review systems to ensure that customers receive complete and accurate information, advice and service.

In offering products that are more complicated than basic products or have special features, which are rather difficult for a service provider to explain those features to customers through digital channels, the service provider must apply an additional approach to ensure that the customers are informed of important features or conditions of those products before they decide to purchase the products for the first time, so that the customers have sufficient information to understand and determine if they should buy the products.

Example: An additional approach for offering complicated products through digital channels may include the use of “weblink” or a sales channel that customers can communicate with sales staff e.g. VDO conference.

(4) In offering products and services to vulnerable customers who may need higher levels of protection than other groups of customers, a service provider must cautiously communicate and offer products to this group of customers, and must place importance on the offering of products that are appropriate to this group of customers, by setting out a sales process that focuses on a Know-Your-Customer process to ensure that the service provider is aware of the customers’ needs, financial capability and understandability and can, accordingly, provide sufficient product information and warnings and, also, offer appropriate products, or, even, consider using additional processes to ensure that the products are cautiously offered to the customers.

Example: A service provider may require the customer together with the customer’s relatives to participate in the presentation of complicated products, and require the branch manager or the unit head to examine if the product offering by its staff is appropriate, while there must be a system to monitor the quality of the product offering to all vulnerable customers.

(5) A service provider must give evidence of transaction to customers, for all transactions, and the customers must be given the rights to decline the receipt of that evidence.

4/8

4.2.3 Post-sale information

(1) A service provider must always notify customers of any payments/charges for the use of products that the customers must pay or will be collected from customers before the due date, and there must be a sufficient timeframe for the customers to verify those payments/charges or file a dispute over those payments/charges. Details of those payments/charges must be provided to customers e.g. monthly payments, outstanding balance of loans, interest, late payment fees, debt collection fees, insurance fees, annual fees, renewal fees.

If a service provider has a specific practice for certain types of loans, as customers will not be informed of their due monthly payments in advance, the service provider must have a process to ensure that the customers have been aware of and understand conditions of those payments and their obligations in full. If there are also any other fees/charges, apart from monthly payments e.g. insurance fees, customers must be clearly informed of the collection of those fees/charges in advance as well as the results if the customers do not pay them.

In notifying customers of any payments/charges on loans or similar products that the customers must pay or will be collected from customers, a service provider must also notify the customers of the results if they fail to make payments or make partial payments so that they have complete information for making the decisions.

(2) A service provider must give evidence of payment to customers for all transactions, which must indicate the items that the customers have paid for.

(3) Where there are any changes to the conditions of products and services that may affect customers, the essence of those changes must be clearly communicated or informed to the customers in advance within an appropriate timeframe e.g. no less than 30 days in advance of the effective date of those changes.

Where there are any changes that significantly deteriorate customer benefits, especially an increase in service fees that customers have to frequently pay in order to continuously utilize the service, changes that may put rise to risks or burden of customers e.g. credit line extension for credit card, as well as any changes to the conditions on change of products and service providers that causes significant burden to customers e.g. an increase in penalties for early redemption of mortgages, the service provider must receive consent from customers. If the customers have no objection to those changes, within the specified timeframe, it is considered that the

4/9

customers agree to those changes (opt out). This excludes the cases where there may exist significant damage to a service provider, which will be further specified by the Bank of Thailand, the service provider may inform the changes to customers after they become into effect within an appropriate timeframe. Noted that consent from customer does not include consent which it embedded in contracts where such consent is considered unfair terms and conditions.

(4) There must be operating systems and practices in accordance with regulations on the sales of products and services, including the Debt Collection Act.

4.1/1

Attachment 4.1

Minimum information to be disclosed to customers

A service provider must disclose, explain and deliver information of the products that are offered to customers so that they can make a decision based on such information, or information of service that the customers currently use.

Table 1: Minimum information for deposit and debit card products

Deposit and debit card products

Basic deposits (e.g. savings, fixed

deposits)

Structured deposits (e.g. step-up deposits, tax-

free fixed deposits)

Debit cards

1. Name of product 2. Annual interest rate 3. Minimum amount of

deposits 4. Deposit term (for

fixed deposits) 5. Interest rate in case of

failure to comply with deposit conditions (for fixed deposits)

6. Account maintenance fee

7. Rollover conditions (for fixed deposits)

8. Contact information of the service provider

9. Cautions (e.g. additional fees for inter-regional or inter-bank funds transfer)

10. Notice of changes to service conditions or

General information 1. Name of product 2. Type of product 3. Deposit term 4. Minimum and maximum

amount of deposits 5. Deposit balance (if an

interest rate varies with the deposit balance)

6. Annual interest rate 7. Interest rate table (for

products that involve more than 1 type of interest rate)

8. Example of interest calculation (if an interest rate is calculated by complicated approach)

9. Timeframe for interest payment

10. Main conditions (conditions which customer must do or

General information 1. Name of product 2. Type of product 3. Maximum usage amount

– it must be explained to the customer that he/she may increase the spending limit but no more than the maximum limit, and may also reduce the limit

4. Main conditions (conditions which customer must do or follow, otherwise, will affect the use of the product , or conditions that require the customer to pay additional fees)

5. Deposit/withdrawal/funds transfer conditions, benefits and other

4.1/2

any other important notices

follow, otherwise, will affect the use of the product , or conditions that require the customer to pay additional fees)

11. Deposit/withdrawal/funds transfer conditions, benefits and other conditions

12. Interest rate in case of failure to meet deposit conditions

13. Account maintenance fee

14. Rollover conditions 15. Contact information of

the service provider 16. Cautions (e.g. additional

fees for inter-regional or inter-bank funds transfer)

17. Notice of changes to service conditions or any other important notices

If the product is embedded with insurance 18. Type of insurance 19. Name of insurance

company 20. Amount of insurance

coverage 21. Protection conditions

(only important conditions)

22. Contact information of the issuer of the product

conditions 6. Entry fee 7. Annual fee 8. Card reissuance fee 9. New PIN request fee 10. Foreign transaction fee 11. Liability of the card

holder if the card is lost 12. Cautions (e.g. if the card

is lost, the customer must immediately suspend the card, additional fees for inter-regional or inter-bank funds transfer)

13. Contact information of the card issuer

14. Notice of changes to service conditions or any other important notices

If the product is embedded with insurance 15. Type of insurance 16. Name of insurance

company 17. Amount of insurance

coverage 18. Protection conditions

(only important conditions)

19. Contact information of the issuer of the product

4.1/3

Table 2: Minimum information for loan products

Secured loans (e.g. mortgage, hire purchase loans)

Unsecured loans (e.g. credit card loans, personal loans)

1. Name of the lender 2. Name of product 3. Loan amount (Loan to value) 4. Length of loan payments 5. Type of loan payments 6. Example of amortized interest rate

calculation 7. Interest rate 8. Interest rate or penalty for late

payment 9. Service fees e.g. debt collection fee 10. Conditions of the product (conditions

which customer must do or follow, otherwise, will affect the use of the product)

11. Required insurance and optional insurance

12. Important cautions e.g. penalty for late payment or partial payment, the entering into certain types of insurance does not have any effect on the approval of loans

13. Notice of debt/fee collection 14. Notice of loan payments made by the

customer e.g. receipt 15. Notice of changes to service

conditions or any other important notices

1. Name of the lender 2. Name of product 3. Interest rate 4. Interest rate or penalty for late

payment 5. Service fees e.g. payment fee,

statement reissuance fee, debt collection fee

6. Important cautions e.g. penalty for late payment or partial payment, actions needed immediately when credit card/ cash card is lost

7. Notice of debt/fee collection 8. Notice of loan payments made by the

customer e.g. receipt 9. Notice of changes to service

conditions or any other important notices

A service provider must comply with the Bank of Thailand regulations on disclosure of interest rates, service fees/charges and fines.

5/1

Attachment 5

Minimum standards on communications and training

All levels of staff involved in providing service to customers are communicated so that they realize the importance of fair market conduct, as well as receive

sufficient training so that they have knowledge to perform their duties, which will ensure fair market conduct and promote the actual implementation

5.1 Staff communication

5.1.1 There must be a unit that has duties and responsibilities for communicating with and giving knowledge to staff. Such unit shall set out topics, contents, forms, approaches, and evaluation techniques for staff communication, which also include appropriate timeframes and frequency for the staff communication, and shall oversee that the staff receive training according to the staff development plan.

5.1.2 The contents communicated to staff must be comprehensive, accurate, clear, and can be easily implemented, while they must be regularly updated. The extent of those contents must cover fair market conduct matters and be consistent with duties of staff involved in each market conduct management system e.g. the contents should outline the intentions of the regulations together with operating procedures and potential issues so that the staff will have actual understanding and realize the importance of complying with those regulations.

5.1.3 There must be systems and tools that enhance the effectiveness of staff communication, while the communication must be made through channels or by using the types of communication that are appropriate to the topic, contents, equipment, and behaviors of the target staff to ensure the effective communication.

5.1.4 There must be an evaluation of the effectiveness of staff communication and training so that the results are analyzed to make further improvements to the contents and communication methods, as well as ongoing knowledge reviews.

Example: An evaluation of the effectiveness of staff communication and training may be in the form of, for example, the review of sales staff understanding, conducting an actual sales assessment, conducting mystery shopping, arranging a meeting between units responsible for staff communication and involving staff.

5/2

5.1.5 There must be a mechanism for communicating with staff not directly involved in providing service to customers about the scope of their duties, whether they are eligible to sell products or give advice to customers, in order to mitigate the risk that those staff may not comply with the specified process or perform those beyond the scope of their duties, as they have not been aware of or do not understand the correct operating procedures, which may cause damage to customers e.g. those responsible for sales documentation help explain the product features to customers.

5.2 Training for sales staff

5.2.1 Sales staff must receive additional training to strengthen their required knowledge and skills to ensure fair treatment of customers e.g. sales staff must emphasize the advantages, benefits, conditions, limitations and warnings, especially in cases where customers may lose their benefits, customer rights, particularly for staff responsible for the sale of products that carry higher risks or are more complicated than any other products. This will ensure that sales staff can give quality advice and offer products that are appropriate to customers. The training program should cover, but not limited to, product knowledge that is accurate and consistent with the product information provided by product developers or designers, as well as comments or remarks gathered from the product selection process e.g. the products do not fit any particular group of customers. Sales staff must also receive the training that will enhance their knowledge and skills in gathering and analyzing customer data, and how to perform their duties as professional and ethical sales persons.

5.2.2 Sales staff must receive training for the launch of new products, especially products that carry higher risks are complicated than any other products, where a service provider must require all sales staff to participate in the training and must not allow those that do not participate in the training sell those products. A service provider must also require the product developers or issuers to provide the complete and sufficient information and documents for the sale of their products, as well as the product developers and issuers must also take part in arranging the training for sales staff.

5.2.3 Sales staff must be trained to use the language that is easy to understand or may use a script for explaining complicated matters, especially the features of products that carry higher risks and are complicated than any other products. In addition, sales staff must also be trained how to record their advice and presentation of products to customers so that they can be used as evidence.

5/3

5.2.4 A service provider must control the accuracy, comprehensiveness, adequacy and appropriateness of the contents in case where training for sales staff is arranged by a third-party service provider.

5.2.5 There must be an evaluation of training to ensure that sales staff receive knowledge and understand the contents of training so that they can, accordingly, apply those knowledge and understanding properly, while the results can also be used to make further improvements to future training.

On this, where a service provider operates many branches e.g. commercial bank, it may consider arranging training through digital channels e.g. Webinars, video conference to ensure that the knowledge, information and contents have been conveyed effectively and efficiently. There may also be a channel that the trainees can submit their inquiries, or there may be the assignment of professional sales staff (sales champions) to serve for the pools of branches in order to provide close consultation and coaching that cover a larger number of participants.

6/1

Attachment 6

Minimum standards on data privacy

Customer data must be safeguarded, as a service provider places importance on customer privacy and data security, while the transmission of customer

information to other entities must not invade customer privacy

6.1 Customer data protection

6.1.1 There must be a policy, operating procedures and operating systems for protecting customer data that are in line with business strategies and can accommodate any changes in IT and business operations, as follows:

(1) The assignment of duties and responsibilities of each level of staff promotes the protection of customer data and is in accordance with the “3 lines of defense” concept.

(2) Operating systems must be securely designed, developed and tested as well as flexible and regularly maintained.

(3) There must be the protection of data security, as the data must be classified, kept and disposed, based on its security classification, while there must be the deployment of reliable and internationally accepted data encryption.

(4) There must be the protection of system security to ensure that the system is safe and available for operation.

(5) There must be the control of access to operating systems, management of staff access rights (as the access rights must be regularly updated when there are any changes to their assignments or employment), as well as the strict monitoring of access to operating systems (to detect suspicious access to data and take prompt action), while the results of the monitoring must be reported to the management e.g. implementing a measure to control and prevent a data leakage by segregating the access to data of involving units according to the Chinese wall concept, allowing the storage of or access to only necessary data (need to know basis), setting out a practice for supervising and examining the staff who have access to internal data to prevent the inappropriate use of that data.

6/2

(6) There must be the effective supervision and management of data access, data usage and data protection arrangements of third-party service providers or business counterparts.

Example: An operating system for protecting customer data may include: - A system that can detect suspicious data access e.g. a particular staff

member accesses data of a customer that did not use the service, prints customer data during non-office hours, frequently views customer data or views a lot of customer data, or viewing customer data by not complying with normal procedures

- The control of transmission of a copy of customer data to external entities, both in the forms of screen capture and sending data by email or on the internet – by limiting the data file size, detecting certain key words, or randomly checking the contents or words

- Offering a commission only for tele-sales that have been conducted through the channels that the service provider can track the operations to prevent the sending of customer data to external entities for offering any other products “without” consent of the customers

6.1.2 All levels of staff must be earnestly encouraged to have understanding and awareness of the importance of the protection of customer data security.

6.2 Disclosure of customer data to other entities

6.2.1 There must be a process that will ensure that the recipients of customer data, including business counterparts that jointly launch products with a service provider under brand partnership arrangements (co-branding), can securely protect customer data as well as store only necessary data, while the data is used for the purposes to which the customers have given their consent, as well as customer privacy must not be invaded. The key concerns should include the capability of the data recipients to protect customer data, and the capability of the service provider to control and oversee the protection of customer data of the data recipients.

6.2.2 In disclosing customer data to other entities for marketing purposes, a service provider shall:

(1) “Disclosure of customer data for marketing purposes” means the disclosure of customer data for promoting or publicizing any products and services, where customers may or may not give their consent to the disclosure of data, which must not have any effect on the approval of applications for those products and

6/3

services. This does not include the disclosure of customer data to business counterparts jointly launching products with a service provider under brand partnership arrangements (co-branding).

(2) Must seek customers’ consent to the disclosure of data for marketing purposes, as follows:

(2.1) seek customers’ consent to the disclosure of data by giving them the rights to accept/decline, by using an approach that will ensure that the customers decide to give consent themselves and the customers must understand that this is not the condition for approving the products and services they have applied for e.g. in the application form, the section for the request of customer’s consent for market purposes may be separated from the section for non-marketing purposes, or the service provider may put a remark on the top of the consent request form that “this does not have any effect on the approval of products and services that the customer has applied for”.

(2.2) clearly notify customers that this request is to ask for their consent to the disclosure of data for marketing purposes e.g. for conducting a marketing campaign for other products or for publicizing any other services.

(2.3) notify a list of recipients of data to customers so that they can decide if they will give their consent or not; if the recipients are companies within the same business group of the service provider – the service provider can refer to the list in other sources e.g. the service provider’s website, however, the customers must be informed of those channels and can conveniently access the data.

If, later, a service provider wishes to put additional recipients on the list, for customers who have given their consent to the disclosure of data, the service provider must notify the new list and rights of the customers to decline the disclosure of data, as well as channels for the customers to raise their objection, and must set an appropriate timeframe for the customers to raise their objection e.g. 30 days. If the customers do not raise any objection within the specified timeframe, it is considered that the customers give consent to the disclosure of data that the service provider has requested (opt out). However, there must be a process to ensure that the customers have been aware of that request.

(2.4) notify channels that customers can conveniently contact to inquire about a list of recipients of data or cancel the communications from all recipients. In case where customers decline to receive any communications from the recipients,

6/4

a service provider must have a system that can immediately suspend all communications e.g. within 48 hours after the request is received. Under certain circumstances as deemed necessary so that those communications cannot be immediately suspended, a service provider must manage to complete it without delay e.g. within 10 days after the request is received.

6.2.3 In disclosing customer data to other entities for non-marketing purposes

(1) “Disclosure of customer data for non-marketing purposes” means the disclosure of customer data for which customers’ consent is required as without the consent the operations of the service may be significantly affected or the service provider may not be able to provide fair and ongoing service e.g. disclosure of customer data to third-party service providers (outsource) that provide supporting functions to the service provider, disclosure of customer data to government entities as required by law, including the disclosure of customer data to business counterparts under brand partnership arrangements (cobranding).

(2) A service provider may specify that the disclosure of customer data is part of service conditions, and gives customers the examples of the objectives of the disclosure of customer data e.g. for debt collection purposes. In this case, a list of the recipients is not required to be provided.

7/1

Attachment 7

Minimum standards on problem and complaint handling

The handling of customer problems and complaints as well as redress packages are clear, timely, independent, effective and fair

7.1 Acceptance and management of customer problems and complaints

7.1.1 There must be a unit and staff responsible for accepting customer problems and complaints that customers can conveniently and directly contact. There must be various channels for customers to make complaints, which can accommodate behaviors of each group of customers, while the customers must be informed of the channels that they can raise issues or make complaints, covering complaints about the business operations and those about service of the staff, the scope of complaints that they can make, channels and methods by which the complaints can rapidly be handled e.g. a list of required supporting evidence or data, methods for checking the progress of the resolutions, as well as channels of the government agencies that the customers can also make complaints e.g. where a customer is not satisfied with the service of the service provider, the customer can make a complaint through the Bank of Thailand’s Financial Consumer Protection Center.

7.1.2 There must be a standard process for handling customer problems and complaints where a unit and staff accepting complaints are independent, can cooperate with other units, and receive appropriate training and coaching, while customers must have opportunity to give full accounts of their complaints. Customer complaints must be fairly addressed by taking into consideration all related information, and all related accounts must be recorded. In case of sensitive problems or complaints that may have a significant effect, there should be a specific process for handling the issues e.g. rapidly escalates the issues to the senior management.

7.1.3 Customer problems and complaints must be fairly addressed, as a service provider takes into consideration the facts and surrounding circumstances for each individual case, including all related contributing factors e.g. operating procedures that are actually applied, promises made by sales staff, customer profile.

7.1.4 There must be a system for tracking the progress of problem or complaint handling to ensure that the issues are managed and considered according to the specified practices, conditions and timeframes. And, there must also be a system for examining the quality of problem or complaint handling.

7/2

7.1.5 As customer problems and complaints are warning indicators of system problems, if a service provider receives complaints about a particular issue, a particular member or group of sales staff, or repeated problems or complaints, or the problems or complaints that may not frequently exist but may have a significant effect on the fair treatment of customers, the service provider must find the root causes of those problems or complaints, and/or extend the scope of examination to cease potential losses. Service provider may assign staff to track the progress of problem or complaint handling and urge the progress frequently.

7.2 Resolution of customer problems

A service provider must have measures to resolve problems and redress customers, must set out the standard for resolving problems with similar characteristics, and must set a timeframe for each step of resolution that is appropriate and timely, while the customers must periodically be informed of the resolution progress. A timeframe and factors for determining a redress or compensation package must be fair, especially for problems caused by the service provider itself i.e. system failures or staff error, while the same treatment should apply to the similar cases e.g. the service provider must not give compensation “only” to customers that it has relationship with.

7.3 Prevention of repeated problems or complaints

7.3.1 All customer problems and complaints that have been received through any channels must be recorded. In case of inquiries, they must be recorded for assessing if the data provided during the sales process is sufficient, and the results may be used for improving the offering of products to ensure that it is accurate, clear, easy to understand, and comprehensive.

7.3.2 There must be the assignment of those to have responsibility for identifying the root causes of customer problems or complaints (root cause analysis), and the results of the analysis will be used e.g. as supplement information for an audit, evaluation of staff performance, as well as for the improvement of products, services, operating procedures or systems, enhancement of controls or reviews, while it must be communicated to all related staff.

7.3.3 The arrangements for dealing with customer problems and complaints must be reported to the board of directors and senior management so that they can assess the risks and take further action to improve related operations to prevent the repeated problems or complaints. Customer problems and complaints must also be reported to

7/3

the Bank of Thailand according to the regulations on reporting of financial service quality data.

8/1

Attachment 8

Minimum standards on 3 Lines of defense

For customer service management, there must be operating processes, control systems, and an audit of the operations that give priority to fair and

sound treatment of customers, while there must be a system that can effectively detect risks and irregularities in order to prevent any potential losses

8.1 Control, oversight and audit

8.1.1 There must be the monitoring and audit of the operations under all market conduct management systems, which cover each and every level of the operations in accordance with laws, supervisory regulations, and internal procedures with regard to fair market conduct. The auditors must be independent from the activities that they have to audit and be able to independently conduct an audit of any activities. This will ensure that the board of directors and senior management can create and maintain sound internal control environments and that customers are fairly treated.

In carrying out those as specified above, a service provider must assign responsible persons or units to perform monitoring and audit functions in accordance with the “3 lines of defense” concept, as follows:

1st line includes internal control and review of day-to-day operations

2nd line includes supervision and audit performed by the oversight function (to ensure that the operations comply with the specified regulations) and risk management function

3rd line includes an audit to assess the sufficiency of the implemented measures

Those who perform the above activities must have understanding and expertise in overseeing the compliance with the specified regulations and must have an important role in supporting and encouraging the effective internal control and also take part in give advice to business units, branches, and service/sales networks.

8.1.2 There must be an assessment of all operating procedures and services under the 9 market conduct management systems to identify or outline potential risks and, accordingly, implement measures to monitor and control those risks (Attachment 8.1).

8/2

In addition, a service provider must place importance on the appropriate installation of a system for post-sale/service monitoring (self-monitoring) to ensure that the sales/service arrangements are in line with the sales/service processes as specified by the service provider. If a service provider has found any inappropriate operations or services, it must resolve the issues or make improvements, and figure out the causes as well as take appropriate action. A service provider must monitor the operation and service reports to ensure that the operations under each market conduct management systems are accurate and fair.

Example: A service provider may assign the staff who have knowledge and expertise in products and sales process of those products to conduct self-monitoring as follows: - Conduct mystery shopping at branches, by using the sample size that is

sufficient for evaluating the quality of the operations at those branches - Call the customers to ask about the service quality(call back or welcome

call), by using the sufficient proportion of sample size, while the scope and characteristics of questions must be comprehensive for evaluating the sales quality effectively; the service provider must call all customers that enter into products with high exposures to unfair services e.g. vulnerable customers, or customers who have been offered products with complicated features that are not easily to understand e.g. unit-linked products

- Randomly examine the recorded conversations between sales staff and customers

- Randomly check the sales items and sales documents to examine if the operations and the receipt of payments are accurate

8.1.3 An audit plan must focus on the specified risks as well as the operations if they are in accordance with the specified operating procedures, processes and regulations. As an audit must be performed based on risk indicators, a service provider must, thereby, identify if any incidents may lead to potential risks.

Example: The following incidents may be used as risk indicators: - For the sale of certain products on which sales staff receive remarkably

high commission, if the volume of sales at any particular branch is relatively high, it may be suspected that such branch may offer the products with inferior advice or lack of responsibility to customers (mis-selling).

- If there is any record of unusual access to customer’s data, it may be

8/3

suspected that there is inappropriate access to customer data.

An audit plan should cover all aspects e.g. for an audit of sales process – the scope of an audit should cover an aspect of “sales approaches through any channels”, an aspect of “point of sales areas” e.g. branches or provinces, as well as an aspect of “transactions”, while the frequency of an audit must be appropriate. In addition, in conducting an audit, the various monitoring and examination approaches may apply appropriately to the target issues.

On this, those responsible for conducting an audit e.g. the compliance unit and internal audit unit, must perform their assigned duties and responsibilities to ensure the comprehensiveness of the audit, while those responsible for conducting the review or examination of the operations within their own units must report the results of that review and examination to those responsible for the overall control, oversight and audit to ensure that the audit plan is more effectively drawn up.

8.1.4 The audit results must be reported to the board of directors and senior management, while the suggestions should also be presented, so that the board and senior management may consider taking action.

8.2 Prevention and management of a conflict of interest

8.2.1 A service provider must identify activities that may lead to a conflict of interest, and set out a policy, measures or tools, as deemed sufficient and effective, for preventing or managing a conflict of interest as well as take disciplinary action against the staff who do not comply with the specified regulations.

8.2.2 There must be clear tools or approaches for managing each kind of conflict of interest and there must be the communication and sharing of knowledge and understanding of the measures implemented by the service provider so that responsible persons and staff are aware of the importance of and the compliance with those measures, and can, thereby, effectively comply with them.

8.2.3 There must be the review of compliance with specified measures, while further action must be taken if there is any incompliance issue. Associated risks and measures should also be regularly assessed and reviewed.

8.1/1

Attachment 8.1

Risks involved with customer service, examples of control, oversight and audit arrangements

Potential risks e.g. risk that the products may have inappropriate conditions, risk that the communication of fair market conduct may not be sufficiently effective, risk that the system is disrupted due to operational errors, risk of fraud, risk that customers are offered inappropriate products leading to customers’ losses, risk that customer information is not well protected, risk that customer problems are not properly and fairly resolved.

Example: Control and review of staff performance Oversee that the sales operations, control and review processes are in

accordance with the specified procedures, and must take serious action against a breach of those procedures or incompliance issues e.g. - Review the conditions of products, and test the products with

a particular group of customers before launching them - Regularly review staff knowledge and understanding of the

organization’s policies - Have in place maker-checker controls - Those with approval authority in the sales process must be

independent from sales staff - Review if the offering of products by sales staff is appropriate to

customers - Oversee and examine the arrangements of sales staff for the sales that

may require special attention e.g. sales of products to vulnerable customers or sales of products that carry higher risks or have complicated features than any other products

- Oversee if the arrangements of sales staff are within the scope of their qualifications or responsibilities e.g. a sales staff member must not give his/her password to other members to conduct a transaction on his/her behalf

- Record tele-sales conversations - Sales staff must not be allowed to bring any devices or equipment to

the areas in which telesales are conducted so that they cannot take customer information out of the areas

- Have in place a system that can rapidly detect suspicious transactions

8.1/2

so that necessary action can be taken to immediately rectify the fault or prevent any further losses

Verify the source and if customer information is acquired properly and that the customers have given their consent

Create a do-not-call list or apply a comparable process for gathering information of customers who do not wish to receive any further communications; the list must be promptly updated and actually implemented

Have in place a system to ensure the secure payments and prevent frauds e.g. customers must be required to make “cash” payments “directly” over the deposit counter (not pass through other unrelated staff), customers must be required to confirm credit card transactions by themselves

Have in place a system for monitoring account movements and financial transactions of the staff responsible for receiving the payments

Oversee that the operations of third-party service providers or agents are in accordance with the agreements e.g. transmission of customer data, disposal of customer data that is no longer used

Have in place a system for protecting service security

9/1

Attachment 9

Minimum standards on operations and business continuity

For customer service management, there must be operating systems, risk management and business continuity plans, under ordinary circumstances and in the event of an emergency, to ensure that customers’ instructions or wishes have accurately, completely and timely been responded and that the customers are

provided undisrupted services and fairly treated

9.1 Operating systems

9.1.1 There must be operating manuals and/or tools to ensure that those involved in the operations have performed all and accurate duties e.g. a checklist, arranging training courses related to those manuals, so that all staff will have understanding and be aware of the importance of compliance with the manuals in order to prevent any operational errors and that customers are fairly treated.

9.1.2 If there is the deployment of IT systems, the following risks must be taken into consideration:

(1) System robustness – if the operations and storage of significant data rely materially on a computer system, there must be the prevention of potential threats to the system, and there must also be a contingency plan in the event where the system is disrupted, hacked or damaged.

(2) Data security – there must be the control of data usage and data access to prevent a leakage of data or the use of data for inappropriate purposes

(3) Development of operating software to support operations – the design of software must respond to user needs as the software can accurately and promptly be used e.g. the software shows a warning sign as a customer places an order to sell the products that may make the customer lose tax benefits, there should also be a list of all required data, while the data is correctly processed, and there must be a clear warning or report that the staff can clearly notice and understand so that they can suggest that information to customers.

Where there is a disruption to operating systems or the system update is required, either the system or software, a service provider must place importance on this and promptly respond to the issues.

9/2

9.1.3 There must be a system for recording the execution of transactions events for the purposes of customer protection and service improvement, but this must not invade customer privacy e.g. installing CCTV system that can actually be used and is regularly maintained.

9.2 Business contingency plan

9.2.1 There must be a business contingency plan that covers important operating procedures to ensure the continuity of business without any interruption to customer transactions or causing any damage to customers. If an effect on customers is unavoidable, a service provider must appropriately communicate this to the customers before the incident, during the incident, and after the incident.

9.2.2 The plan must be tested for its practicality and that the plan can control the impact and damage, while the critical operating systems can be recovered within the specified timeframes. And, the plan must be reviewed and revised to reflect the current circumstances and environments.