In parallel, the Department of Business Development initiated legal proceedings in 820 nominee shareholder cases between late 2024 and 2025. This enforcement action was accompanied by draft proposals to increase penalties further, according to a policy summary published by ASEAN Briefing.
The Foreign Business Act (FBA) B.E. 2542 (1999) classifies a company as foreign when at least half of its capital shares are held by non-Thai persons or entities. This foreign classification triggers a licensing regime for most restricted sectors, a process that can take months and offers no guarantee of approval.
The current entry problem for foreign capital is defined by two converging trends. The formal ownership ceiling is loosening for sectors most attractive to foreign entrants, particularly technology and digital services. At the same time, the informal workarounds that thousands of foreign-controlled companies relied on for years are being systematically dismantled.
Thailand's foreign investment regime tightens on nominees and loosens on digital sectors
- The Foreign Business Act classifies any company with 50 percent or more foreign shareholding as foreign, restricting most business sectors without a license.
- Four legal pathways permit foreign operation: Thai-majority joint venture, Board of Investment promotion, the US Treaty of Amity, and a Foreign Business License.
- Board of Investment promotion has become the standard route to full foreign ownership for technology and digital services entrants, with approval in two to four months.
- Thai enforcement moved from paperwork review to forensic reconstruction of control, with 820 nominee cases initiated between late 2024 and 2025.
- The Personal Data Protection Act imposes cross-border transfer restrictions with no adequacy list published as of April 2026, requiring Standard Contractual Clauses or Binding Corporate Rules.
- A regulatory doctrine permits foreign cloud infrastructure use without triggering transfer obligations when the data controller retains sole encryption key custody.
Four legal pathways for foreign entry
Under the FBA, a company is treated as Thai when foreign shareholders hold 49 percent or less of its capital shares. A company with 51 percent Thai shareholders and 49 percent foreign shareholders operates without the sector restrictions applied to foreign-classified entities.
The statutory text, hosted by UNCTAD, defines a foreigner in terms of share ownership rather than directorship. This means a foreign-majority-owned company with a Thai-majority board remains classified as foreign.
The most common structure for smaller foreign entrants is a Thai-majority joint venture at the 51/49 threshold. Foreign parties often preserve governance influence through preference shares issued under Section 1108 of the Civil and Commercial Code, shareholder agreements with veto provisions, and board appointment rights.
An earlier mechanism of layered voting-rights share classes, which permitted foreign partners to retain de facto control while nominally minority-owned, was closed under revisions to the FBA.
Board of Investment (BOI) promotion has become the standard pathway for technology, software, digital services, and fintech entrants seeking full ownership. Approval typically takes two to four months and permits up to 100 percent foreign ownership along with corporate income tax exemptions in qualifying sectors. Companies operating under BOI promotion receive exemption from most FBA provisions during the promotion period.
The United States Treaty of Amity and Economic Relations, signed in 1966, grants a narrow but powerful exception for companies with at least 51 percent US citizen ownership. Such companies operate as if they were Thai, permitting up to 100 percent foreign ownership. The Treaty excludes communications, transportation, land ownership, banking with depository functions, and fiduciary services, restrictions that rarely bind on digital or professional services entrants.
The Foreign Business License (FBL) remains available as a direct application path for companies unable to qualify for BOI or Treaty of Amity coverage. Approval is discretionary, timelines are long, and rejection is not uncommon in restricted-sector categories.
A fifth structure, reciprocal cross-holding, is used by sophisticated corporate groups but sits outside standard entrant playbooks. Two operating entities each hold 51 percent of the other, and a foreign holding company retains the remaining 49 percent of each. The arrangement produces effective foreign control across two nominally Thai-majority companies, and it now carries elevated regulatory scrutiny under the enforcement wave that began in 2024.
More Business Articles
The forensic turn in enforcement
The historical FBA workaround was the nominee shareholder: a Thai national listed on the corporate register but holding no genuine economic interest in the company. Nominee arrangements are prohibited under Section 36 of the FBA and carry penalties of up to three years imprisonment and fines up to one million baht for both the foreign party and the Thai national involved.
Enforcement escalated sharply beginning in 2024. Thailand's Department of Business Development opened investigations into hundreds of companies suspected of nominee structures in early 2024. By late 2024 and into 2025, legal proceedings were initiated in 820 nominee-related cases across the country, with proposals to increase penalties introduced in parallel with the enforcement wave.
The forensic method behind these investigations shifts the operative document from the corporate register to the underlying capital flows. The Department of Business Development and the Department of Special Investigation reconstruct actual control by examining whether Thai shareholders have verifiable independent income sources sufficient to fund their share subscriptions.
Investigators also check whether dividends flow proportionally to them or loop back to the foreign party, and who signs contracts and authorizes payments. They review whose email addresses handle business correspondence and whether the same Thai individuals appear as shareholders across multiple unrelated companies.
The shift from paperwork verification to control reconstruction changes the operational risk profile of a nominee arrangement. A structure that clears registrar review may fail a subsequent forensic audit if the underlying capital flows do not match the recorded ownership. Structures that formally satisfy the statute while functionally evading it now face a narrower margin of survival.
The April 2025 Cabinet proposal to liberalize the FBA runs in a specific direction relative to this enforcement wave. The proposal raises the ownership ceiling in select restricted-sector categories, particularly those covering digital services and high-value manufacturing, without altering the underlying definition of foreign. Reforms are implemented in stages through 2026 and are framed as an inducement to legitimate foreign capital, contingent on the parallel closure of the nominee route.
Data custody as a second constraint on tech entrants
For technology companies, the ownership question runs alongside a second regulatory constraint under the Personal Data Protection Act (PDPA) B.E. 2562 (2019), fully enforceable since June 2022. The PDPA is modeled on the European Union's General Data Protection Regulation and applies extraterritorially to foreign companies collecting or processing personal data of individuals in Thailand, regardless of whether the company maintains a local office.
The PDPA imposes no general data localization requirement. Sector-specific localization applies in narrow areas, including credit information companies under the Credit Information Business Act and certain Bank of Thailand payment licensees required to process domestic debit card transactions locally. For general technology operators, storage location remains a matter of contractual and technical design.
Cross-border transfer is where the PDPA binds most sharply on foreign technology operators. Sections 28 and 29, clarified by regulations issued in December 2023 and effective 24 March 2024, establish two pathways. The first is an adequacy route to jurisdictions the Personal Data Protection Committee (PDPC) has recognized as having equivalent protection standards. The second is a safeguards route where adequacy has not been determined.
As of April 2026, no adequacy list has been published, so every foreign operator handling Thai personal data currently transfers under the safeguards route. The safeguards route accepts Binding Corporate Rules for intra-group transfers and Standard Contractual Clauses modeled on ASEAN or European Union templates.
These templates are updated with Thailand-specific obligations including a 72-hour breach notification requirement, as summarized in commentary by Baker McKenzie.
In February 2026, the PDPC published its regulation on the examination and certification of Binding Corporate Rules, and the first approvals followed shortly after. The approval process requires Thai-language submissions and takes approximately six months. Organizations with existing European Union or United Kingdom Binding Corporate Rules approvals can adapt their frameworks with a Thai-specific addendum covering PDPA obligations.
A regulatory doctrine has emerged that shapes system architecture rather than jurisdictional choice. Storing or moving Thai personal data outside Thailand is not treated as a cross-border transfer under the PDPA when the data controller retains sole and exclusive technical control, for example by holding the encryption keys, and no third party can access the underlying data.
Under this reading, summarized in a regional analysis published on Rouse, foreign cloud infrastructure may be used without triggering PDPA transfer obligations, provided the controller preserves technical exclusivity.
Additional PDPA obligations apply to any technology company operating at scale in Thailand. Data controllers and processors must appoint a Data Protection Officer when their processing involves regular monitoring of large-scale personal data or the processing of special categories of personal data.
Overseas controllers within the extraterritorial scope of the PDPA must also appoint a local representative in Thailand, as documented in the country guide published by DLA Piper.
Section 34 of the PDPA grants individuals the right to object to automated decision-making that produces legal or significant effects. Companies deploying such systems must disclose the logic involved, provide human review mechanisms, and offer appeals processes. The provision applies directly to machine learning and automated scoring systems that reach Thai data subjects.
The pattern beneath both regimes
The two regulatory regimes converge on a similar analytic pattern. Both read from the statute as blunt thresholds, and both operate at the enforcement layer as tests of demonstrable control. The ownership percentage on the corporate register and the physical location of a data server both carry less independent weight than they did five years ago.
Under the FBA, the operative test now examines capital flows, decision authority, and correspondence patterns to determine whether a Thai-majority company is genuinely Thai. Under the PDPA, encryption-key custody and access control determine whether data has left the jurisdiction in any meaningful sense, with server location functioning as a secondary consideration.
For foreign companies evaluating Thai market entry in 2026, the practical consequence is that structural planning and technical architecture carry more weight in the compliance calculus than they did a decade ago. The legitimate pathways to operation are clearly enumerated across ownership and data regimes alike. The margin for structures that formally satisfy the rules while functionally evading them is narrowing across both.
Sources
- ASEAN Briefing editorial team. "Understanding Thailand's Foreign Business Act: Restricted Sectors and Workarounds." ASEAN Briefing (Dezan Shira & Associates), 2025.
- UNCTAD Investment Policy Hub. "Thailand Foreign Business Act B.E. 2542 (1999)." United Nations Conference on Trade and Development, 1999.
- Baker McKenzie. "Thailand: PDPC Approved BCRs for Cross-Border Transfers." Baker McKenzie Insight, 2026.
- Rouse. "Data Localisation and Transfer Issues in Southeast Asia: What Businesses Need to Know." Rouse, 2025.
- DLA Piper. "Data Protection Laws of the World: Transfer in Thailand." DLA Piper Data Protection, 2025.
- Securiti Research Team. "Thailand Cross Border Data Transfer Legislation." Securiti, 2024.
- Statrys. "Can a Foreigner Own a Company in Thailand? 2026 Guide." Statrys, 2026.
