Online Banking
Personal
- Bualuang iBanking
- Bualuang iBanking
- Bualuang iBanking
- Mobile Banking
- Mobile Banking
- Mobile Banking
- Bualuang iFunds
Commitment
Materiality
Responsible for governing and overseeing information security and cybersecurity management to be appropriate for the Bank’s business operations.
Responsible for overseeing and monitoring information technology risks including risks from cyber threats.
Responsible for ensuring that our Information Technology Division works effectively and in alignment with business operations.
Responsible for supporting the Chief Information Security Officer (CISO) who is responsible for the following:
Artificial intelligence (AI) technology is currently being widely adopted across both business operations and in daily life. The Bank has leveraged AI to support its business activities, including threat detection, product recommendation (cross-selling), and chatbot implementation for customer services. Recognizing the potential risks associated with the use of AI, the Bank has established a comprehensive risk management framework based on the principles of responsible AI adoption that takes into consideration the impacts related to ethics, social and personal data security. The Bank has also established an Information Security and Cybersecurity Policy which specifies a comprehensive governance framework for the adoption and control of AI to ensure its appropriate and responsible use. The policy also embeds security-by-design principles into AI-enabled systems, including data encryption, access controls, and regular vulnerability assessments. The Bank also engages in proactive communication with employees and customers to promote awareness and understanding of responsible AI use.
We place the highest priority on the protection of personal data to prevent data subjects from being harmed by the misuse or unlawful exploitation of personal information. We have established principles and operational guidelines for personal data security that are fully aligned with the Personal Data Protection Act (PDPA) and other relevant regulations. The Bank has assigned responsible personnel for reviewing and monitoring data. Requirements have also been set up on the granting of access rights, and the sorting and classification of data in order to establish different corresponding personal data security measures that are consistent with the degree of risk and potential impacts from a breach of personal data privacy. We have identified personal data risk as one of the Bank’s key risks and have assigned the Data Protection Office and Data Protection Officer (DPO) to participate in the risk management process, from risk identification to risk management and risk controls.
Personal Data Protection Governance
To ensure transparent and effective governance of personal data protection in compliance with the Bank’s internal practices and relevant laws and regulations, the Bank has clearly defined the roles and responsibilities of the Board of Directors, senior executives, and relevant departments in personal data protection. The Bank undertakes risk control according to the Three Lines of Defense principle and ensures that the audit of personal data protection is conducted by the Audit and Control Division working independently of the units that collect, use and disclose personal data. In addition, the Bank has established a Data Protection Office under the Compliance Unit and appointed a DPO to be in charge of personal data.
Personal Data Protection Policy and Standards
We have established the Personal Data Protection Policy and Standards in compliance with the Personal Data Protection Act B.E. 2562 (PDPA) and other applicable regulatory requirements. The policy applies across the Bank’s business groups, business partners and external service providers. The policy is reviewed on an annual basis to ensure it remains current and effective. In addition, the Bank has developed operating manuals for personal data protection for all relevant units to ensure that employees have a good understanding of the processes and puts them into practice accordingly. All employees must acknowledge and conform to the Personal Data Protection Policy. Any violation or non-compliance may result in disciplinary action and could also give rise to criminal liability or other legal penalties under applicable laws.
We disseminate our Privacy Notice through multiple channels, including the website, branches, and digital banking channels, to inform data subjects of details regarding personal data protection and their rights. Data subjects may seek further information and exercise their rights at any branch or through other service channels of the Bank, or by contacting the Bank’s Data Protection Officer or the Data Protection Office for assistance.
We have established a consent form that specifies details and objectives regarding the collection, use and disclosure of the personal data of a data subject so that the data subject can consider this before giving consent, prior to or during data processing (such consent is the data subject’s choice and will not in any way be a requirement for using the Bank’s services). Additionally, we also monitor the data used for secondary purposes as allowed by relevant laws and with consent, such as marketing activities and data analytics to develop products and services. As of the reporting period, 88 percent of the Bank’s customers have provided consent for the use of their personal data for secondary purposes.
Personal Data Breach Response
We have established clear guidelines and procedures, and designated responsible persons for responding to personal data breach incidents. A personal data breach reporting form has been established for completion by the unit detecting the incident and for reporting to the responsible supervisor in charge for further submission to the DPO.
Data subjects may submit complaints regarding personal data breach incidents through the Bank’s established complaint handling channels or by contacting the Data Protection Officer (DPO) or the Data Protection Office. Upon receipt of a complaint, we conduct a transparent and impartial investigation to ascertain the facts. If the investigation confirms the breach, we will take action against the wrongdoer according to the established disciplinary processes and guidelines, make proper remedies to the affected parties, and implement corrective measures to prevent recurrence. In 2025 we received a total of 22 complaints related to personal data protection breaches, comprising 12 complaints submitted through the Bank’s complaint handling channels and 10 complaints submitted through regulatory authorities. Of these, 15 cases have been fully investigated and resolved with none of the cases causing significant impacts on data subjects.
We believe that fostering a culture of information technology security, cybersecurity and personal data protection in the organization requires every employee to have the right knowledge and understanding of the subject. Therefore, we have taken the following measures or requirements to enhance knowledge and understanding: