Digital Innovation

Digital Innovation

Target 2029

Achieve 91% of total customers using KTC Mobile.


38,800 approved customers applied via Krungthai NEXT


14,000 approved customers applied via Apply Online Service

Target 2024

Achieve 88% of total customers using KTC Mobile.


25,000 approved customers applied via Krungthai NEXT


3,600 approved customers applied via Apply Online Service

Performance 2024

91% of total customers use KTC Mobile.


25,581 approved customers applied via Krungthai NEXT


3,873 approved customers applied via Apply Online Service

Challenges and Opportunities

In today’s rapid advancing technological landscape, digital technology plays a crucial role in transforming consumer lifestyles. As convenience, speed, and security in financial transactions become increasingly important, the Company is committed to developing digital technology, innovations, and infrastructure to enhance the quality and security of financial products and services. However, failing to adapt to the continuously evolving consumer behavior could impact the Company’s competitiveness and business growth. The Company prioritizes investments in infrastructure and strategic initiatives that create business opportunities while improving operational efficiency across all dimensions. Nevertheless, the advancement of digital technology comes with increasingly complex cybersecurity threats. The Company recognizes the importance of data security and business continuity by implementing cybersecurity governance measures in strict compliance with international policies and standards, and invests in advanced security infrastructure and systems. Furthermore, the Company also fosters a security awareness culture among employees to build trust and confidence among customers and stakeholders in conducting financial transactions with the Company.

Key Achievements
  • KTC Mobile users equals to 91% of the total number of customers
  • All employees have undergone training on data security, cybersecurity, and privacy protection
  • The Company has been certified with ISO/IEC 27001:2013 Information Security Management Systems and ISO/IEC 27701:2019 Privacy Information Management Systems
  • 25,581 approved customers that applied for financial products via Krungthai NEXT
  • 3,873 approved customers that applied for financial products via the Apply Online Service

In the rapid evolving digital era, KTC has established a robust management approach to address potential emerging challenges related to data security, cybersecurity, and personal data protection. As a consumer finance service provider, the Company places great emphasis on building a secure IT infrastructure and safeguarding customers’ personal data.

Data Security, Cybersecurity, and Privacy Protection Management

KTC has established policies and regulations on data and information system security to effectively manage IT and personal data risks at an appropriate level; ensuring compliance with relevant laws and internationally recognized standards. These policies and regulations are reviewed, updated, and approved annually by the Board of Directors to ensure their relevance and effectiveness, and further communicated to all employees across the organization via KTC UNITE to foster awareness and adoption. The key details are as follows.

Policies Related to Data and Information System Security
  • Information Technology Policy
  • Information Security Policy
  • Personal Data Protection Policy
  • Notice of data protection measures for different groups under the Personal Data Protection Policy (1)
  • Information Classification Standard Regulation
  • Information Security Incident and Privacy Management Regulation
  • Code of Conduct (2)
(1) Personal Data Protection Notice covers all relevant business units and affiliated companies, including customers, sales agents, suppliers, business partners, creditors, service support operators, security holders, government sector, director, etc. For additional information, please refer to
(2) Code of Conduct is reviewed by the Audit, Environmental, Social Responsibilities, and Corporate Governance Committee before presenting to the Board of Directors for approval
Topic
  • Management of information technology, IT security, and IT risk management
  • Information security and privacy protection, encompassing Confidentiality, Integrity, and Availability (CIA)
  • Safeguarding personal data of data subjects
  • Providing notice on the purpose of personal data processing and data subject rights
  • Access control and classification of information based on confidentiality levels
  • Handling security breaches, system disruptions, and legal rights requests under data protection laws
  • Guidelines for the Board of Directors, management, and employees to safeguard, maintain, and prioritize the information system security

Additionally, the Company has established an organizational structure that supports effective IT governance and risk management based on the Three Lines of Defense model, with clearly defined roles and responsibilities. The structure consists of business units responsible for IT operations, IT governance and IT risk, and IT audit.  

Information Security and Privacy Governance

The Company has established an Information Security Committee (ISC) to oversee the management of information security and cybersecurity. The committee is chaired by the President & Chief Executive Officer (CEO), with top management from various business units serving as members. Additionally, the Head of Information Technology, responsible for overseeing the organization’s IT operations, serves as both a member of the sub-committee and the secretary.

Roles and Responsibilities of the Information Security Committee (ISC), such as:

  • To define policies related to information security and information technology, for approval by the Board of Directors
  • To oversee and implement actions related to information security and information technology
  • To oversee IT strategic planning and budgeting to ensure alignment with financial resources, available assets, and business priorities
  • To serve as the Data Protection Officer (DPO) for the Company and subsidiaries in accordance with the Personal Data Protection Act

KTC has implemented a comprehensive IT governance framework to ensure the integrity, confidentiality, and availability of information assets. The Head of Information Technology, serving in a role equivalent to a Chief Information Officer (CIO), provides strategic oversight of IT operations, infrastructure, cybersecurity, compliance, innovation, and ensures alignment with business objectives and regulatory requirements.

To specifically manage and strengthen information security, the Company has established a dedicated CISO Division reporting directly to the Head of IT. This division is responsible for establishing and maintaining the organization’s vision, strategy, and program to protect information assets and technologies. It implements a hierarchical information security governance structure, oversees cybersecurity risks and incident response, and ensures compliance with international standards. This approach embeds information security within the broader IT strategy while maintaining focused operational accountability.

Information Technology and Cybersecurity Measures

To enhance information security, KTC has implemented risk management measures and tools, along with a clear incident response process. The Company conducts annual system testing, at least once per year, to mitigate the risks of IT disruptions and cyber threats while ensuring readiness for emergency situations. Additionally, KTC regularly reviews and reinforces employee awareness and understanding of security protocols. Key security practices include the following.

Privacy Protection Measures

As a provider of financial products and services, KTC prioritizes the safety and privacy of customer and stakeholder data. The Company has established a Personal Data Protection Policy along with practices and measures related to the protection and security of personal data across all its operations, including those of its subsidiaries and stakeholders such as customers, employees, shareholders, and business partners. All employees are required to strictly adhere to these guidelines. Failure to comply may result in disciplinary actions and legal consequences. To ensure the effective implementation of the personal data protection policy, the Company has established mechanisms such as the following.

Privacy management policy, system and procedures

The Internal Audit business unit is responsible for auditing all business units for their compliance with the Personal Data Protection Policy. The audit findings are reported to the ISC and to the Audit, Environmental, Social Responsibilities, and Corporate Governance Committee for acknowledgement.  
Conduct annual external audits on personal data protection practices to be certified with the ISO/IEC 27701:2019 Privacy Information Management Systems standard.
The number of personal data breach incident is established as a key performance indicator (KPI) for evaluating employee performance across the organization.
Enhance workflows, contracts, and various forms to ensure compliance with legal requirements, such as obtaining consent for personal data processing and conducting risk assessments related to personal data processing.
Require data processors to sign a Data Processor Agreement to ensure that they acknowledge and operate within the agreed scope when processing personal data on behalf of KTC. This agreement also mandates that data processors promptly notify KTC in the event of any personal data breach arising from the assigned tasks.
Training and education are provided to employees and outsources to ensure compliance with personal data protection laws and ISO/IEC 27701:2019 standard.
In addition, KTC informs data subjects about the processing of their personal data in the following areas.
  • The types of personal data that KTC processes and uses for specific purposes
  • The reasons or legal bases for collecting, using, or disclosing customers’ personal data
  • The rights of data subjects as defined by law, including the right to be informed, the right to access, the right to data portability, the right to object personal data processing, the right to erase or destroy, or anonymize the personal data, the right to restrict personal data processing, and the right to rectify personal data
  • The duration for which the Company retains the data; the Company will store personal data of individuals associated with the Company for up to 10 years after the end of the relationship. In cases where approval for financial product membership is not granted, the Company will store personal data for no longer than 1 year from the date of non-approval. After the retention period, KTC will delete or destroy the data
  • Measures to protect personal data; the Company established policies or guidelines in the event that data is requested for use by third parties, such as government or private organizations. KTC will not use the data for purposes other than those consented to or as per other conditions stated in the relevant guidelines
  • KTC tracks the proportion of users whose data is used for secondary purposes, such as disclosing information to affiliates within the financial group and business partners. In 2024, the rate was 7.8%

For additional information, please refer to https://www.ktc.co.th/about/data-protection-notice
under Company’s Data Protection Notice under the Personal Data Protection Policy of Krungthai Card Public Company Limited.

Customer Privacy Breach

In 2024, the Company identified 11 incidents of customer privacy breaches involving the leakage of personal data. These incidents were reported as errors originating from the Company or outsources. The Company has reported these incidents to the Information Security Committee (ISC) and has taken corrective action in accordance with its established guidelines. Moreover, the Company has reinforced awareness among employees and external service providers regarding the importance of preventing personal data breaches and the potential impacts on data subjects. Preventive measures have also been reviewed and strengthened to mitigate the risk of similar incidents occurring in the future. Additionally, the Company and outsources have reinforced compliance with operational guidelines among personnel and emphasized awareness of the corresponding penalties for non-compliance. Furthermore, system enhancements have been implemented to improve monitoring capabilities and operational efficiency, ensuring that similar incidents are prevented in the future.

Independent External Audit

In compliance with policies related to information technology and personal data, KTC ensures alignment with laws, regulations set by the Bank of Thailand, and relevant international standards to uphold the highest standards in cybersecurity and data protection. To reinforce this commitment, KTC has been certified by independent external auditors in the following areas.

Digital Transformation Strategy

KTC drives its digital transformation strategy by leveraging advanced technology and innovation to develop products and services. The strategy focuses on three key areas, including digital products, digital services, and digital channels. The Company integrates technology and artificial intelligence (AI) to optimize operations, reduce costs, and enhance customer experience, ensuring accessible, convenient, fast, and equitable services for all customers. This approach also helps minimize resource consumption, prevent data loss, and reduce travel time, while prioritizing transaction security to safeguard customer trust. These efforts support strong business growth while driving KTC toward long-term sustainability.

The Company continues to focus on enhancing the efficiency and effectiveness of marketing communications through a variety of digital marketing strategies to present information about the Company’s products and services while also building continuous customer relationships. This approach ensures that the Company can reach and meet customer needs according to its objectives. The use of Paid Media on online platforms helps facilitate quick and easy access to information for customers. Furthermore, the Company improved its website to ensure a modern interface, fast loading speeds, easy information retrieval, and enhanced Search Engine. In addition, the Company applied social media marketing, email marketing, and mobile marketing, with cautious media selection to effectively deliver product, service, or promotional information that aligns with customer interests at the right time. The Company also develops Content Marketing by creating valuable articles covering a wide range of topics, including products and services, financial management insights, and various lifestyle content, to meet customer needs comprehensively and provide a meaningful customer experience.

KTC is also committed to developing a digital workplace to enhance employee flexibility and improve the efficiency and speed of customer service. Additionally, the Company is preparing its IT infrastructure to support online business growth, where all selected solutions must underpass rigorous testing, such as the Proof of Concept (POC). Identified pain points and limitations are continuously improved to maximize efficiency, with a primary focus on security. Furthermore, the Company has implemented Robotic Process Automation (RPA) to replace resource-intensive routine tasks, reducing errors and increasing accuracy. This also allows employees to dedicate more time to developing new skills. Subsequently, customers, merchants, suppliers, and business partners also benefit from faster and more convenient services, which reduce operational time. Additionally, the use of RPA helps minimize environmental impact by reducing energy consumption, paper usage, and other non-renewable resources. Currently, the Company has deployed RPA in over 1,042 processes.

Technology and Digital Innovation Development

KTC has a policy that focuses on developing and promoting digital technology and innovation to enhance the efficiency of products, services, and electronic payment methods. This approach aims to meet consumer needs by providing convenient, fast, and secure access to information at any time and from anywhere, which simultaneously strengthens the Company’s competitive advantage in the market.

KTC Mobile
Apply Online Service
KTC DIGITAL CREDIT CARD

Additionally, the Company is committed to seeking opportunities to leverage artificial intelligence (AI) technology to continuously enhance internal operations as the following example.

Generative AI: Transforming Graphic Design and Marketing Communication