- 04
- April
Many people know ThaiD as a digital identity verification app for logging into various systems — but in reality, ThaiD is only one part of the broader e-KYC ecosystem developed by DOPA (Department of Provincial Administration). This article takes a deep dive into DOPA's complete e-KYC system, from its 3 API levels and IAL/AAL assurance standards to integration with ERP systems at multiple touchpoints — not just the login page.
Summary: 3 Levels of DOPA e-KYC
- Level 1: ID Card Data Verification (Card Verification) — IAL 1.3
- Level 2: Face Verification — IAL 2.2
- Level 3: Identity Authentication via ThaiD (Digital ID Authentication) — IAL 2.3
What Is e-KYC? Why Should Organizations Care?
KYC (Know Your Customer) is the process of verifying the identity of users or business partners. Traditionally, this had to be done manually — using photocopies of national ID cards, signed certifications, and manual review by staff. e-KYC (Electronic Know Your Customer) takes the same process and digitizes it — verifying identity electronically instead of using paper documents.
In Thailand, e-KYC is supported by several laws and standards:
- Digital Identity Verification Act B.E. 2565 (2022) — Establishes the framework and standards for digital identity verification for both government and private sector organizations.
- Anti-Money Laundering Act — Requires financial institutions and related agencies to implement KYC processes.
- PDPA (Personal Data Protection Act) — Governs the collection, use, and disclosure of personal data that occurs during the e-KYC process.
| Criteria | Traditional KYC (Paper-based) | e-KYC (Digital) |
|---|---|---|
| Process | Photocopy ID card → sign certification → submit to staff → manual visual inspection | Scan card/face → API verifies automatically → instant result |
| Processing Time | 1-5 business days | Under 30 seconds |
| Cost | Paper + staff labor + document storage costs | API cost per transaction (significantly lower) |
| Accuracy | Depends on staff — prone to human error in visual verification | Very high — verified directly against the civil registration database |
| Forgery Risk | High — ID card copies are easily forged | Very low — uses biometric data + actual government database |
| Storage | Must store physical documents, requiring significant space | Stored as digital logs — easy to search, no physical storage needed |
DOPA API — The Identity Verification System by the Department of Provincial Administration
DOPA (Department of Provincial Administration) under the Ministry of Interior is the custodian of Thailand's civil registration database — national ID card data, facial photographs, and fingerprints for every Thai citizen are all managed by DOPA.
DOPA provides authorized government and private sector organizations access via the DOPA API for identity verification, offered at 3 service levels:
| Service Level | Verification Method | Assurance Level (IAL) | Best For |
|---|---|---|---|
| Level 1: Card Verification | Submit ID number + name → DOPA checks if data matches civil registration records | IAL 1.3 | Basic data verification, vendor registration |
| Level 2: Face Verification | Capture facial photo → DOPA compares against civil registration database photo | IAL 2.2 | Account opening, employee identity verification, e-Signature |
| Level 3: ThaiD Authentication | Authenticate via ThaiD app + Face Verification + ID card chip data | IAL 2.3 | Critical system login, financial transaction approval, contract signing |
IAL/AAL Standards — Digital ID Assurance Levels
When discussing e-KYC, you will frequently encounter the terms IAL and AAL — both are standards used to measure the assurance level of identity proofing and authentication. They are based on NIST SP 800-63 (Digital Identity Guidelines) from the United States, and ETDA (Electronic Transactions Development Agency) has adapted them as Thailand's national standards.
IAL (Identity Assurance Level) — How Confident Are You About Who This Person Is?
IAL measures "how well can you prove this person's identity":
| Level | Proofing Method | Example Use Cases |
|---|---|---|
| IAL 1 | Self-claim — user provides their own information with no verification | General website registration, newsletter subscription |
| IAL 2 | Identity document verification (remote or in-person) + optional biometric | Bank account opening, vendor registration in ERP, HR onboarding |
| IAL 3 | Document verification + biometric + in-person confirmation by authorized officer | Passport issuance, high-value legal transactions, government contract signing |
AAL (Authenticator Assurance Level) — How Confident Are You the Right Person Is Logging In?
AAL measures "how sure are you that the person currently logging in is the same person who registered":
| Level | Authentication Method | Examples |
|---|---|---|
| AAL 1 | Single-factor — password only | General website login |
| AAL 2 | Multi-factor — password + OTP/2FA or ThaiD | ERP system login, internet banking, disbursement approval systems |
| AAL 3 | Hardware token + biometric — phishing-resistant | National security systems, extremely high-value financial systems |
Simple rule: IAL answers "Who is this person?" while AAL answers "Is the person using the system right now really who they claim to be?" — A well-designed ERP system must have an appropriate IAL during registration and an appropriate AAL every time a user logs in.
Important — Digital ID Does Not Replace Physical ID in All Cases
Although ThaiD and e-KYC enable digital identity verification in many scenarios, several in-person services still require a physical national ID card — for example, opening a bank account at a branch or filing tax returns in person at the Revenue Department. Digital ID is not yet accepted as a substitute for the physical card in these services (as of April 2026). Therefore, e-KYC should be considered a supplementary channel, not a complete replacement.
5+ Use Cases: e-KYC with ERP Systems
e-KYC is not just useful at login — it can be applied at multiple points in an ERP system where identity verification is required:
1. New Vendor Verification (Preventing Fraudulent Vendors)
When the procurement system registers a new vendor, DOPA API Level 1 or 2 can verify that the person claiming to be a company director actually exists — preventing the creation of fictitious vendors used for fraudulent disbursements.
2. e-Signature for Disbursement Approval
High-value disbursement approvals can be linked to e-KYC Level 2 (Face Verification) to confirm the approver is the real person — not just someone who knows the password.
3. HR Onboarding — New Employee Identity Verification
The HR system can use e-KYC to verify new employee data against the civil registration database instantly — no need to wait for ID card photocopies or manual visual verification.
4. Preventing Ghost Employees
The "ghost employee" problem — names in the system with no real person behind them — can be prevented through monthly or annual Face Verification, confirming that every employee in the HR system is a real, existing person.
5. Verifying Authorized Contract Signatories
Before signing high-value contracts with e-Signature, ThaiD (Level 3) can verify that the signatory is actually an authorized person as stated in the company's certificate of incorporation.
| Use Case | Problem Solved | Required IAL Level | Related ERP Module |
|---|---|---|---|
| New Vendor Verification | Fraudulent vendors / nominees | IAL 1-2 | Procurement |
| e-Signature Disbursement Approval | Unauthorized approver | IAL 2-3 | Disbursement Approval, Accounting |
| HR Onboarding | Inaccurate employee data | IAL 2 | HR |
| Ghost Employee Prevention | Fictitious employees in the system | IAL 2 | HR |
| Contract Signing | Unauthorized signatory | IAL 3 | e-Signature, Procurement |
| ERP System Login | Phishing / stolen passwords | AAL 2 | All modules (ThaiD Login) |
DOPA API Flow — How to Integrate (Technical)
For IT teams looking to understand the technical flow of integrating DOPA API with an ERP system, here are the key steps:
OAuth 2.0 Flow
DOPA API uses the OAuth 2.0 standard for authentication — the ERP system must first register as a Relying Party (RP) with DOPA to obtain a Client ID and Client Secret for API access.
Request Sequence
- User initiates a transaction requiring identity verification in the ERP system (e.g., disbursement approval)
- ERP sends a request to DOPA API with a token and the data to be verified
- DOPA API checks the data against the civil registration database
- DOPA API returns the result (match / not match / error)
- ERP records the consent log + verification result + proceeds with the transaction (or rejects it)
- User receives notification of the verification result
Key Requirements
- Register with DOPA — Must apply and receive authorization before using the API
- SSL/TLS Mandatory — All connections must be encrypted (HTTPS only)
- Consent Log — Must record user consent every time data is sent for verification (per PDPA)
- Rate Limiting — DOPA API has daily request limits
- IP Whitelist — ERP server IP addresses must be registered with DOPA in advance
Risks and Considerations
While e-KYC enhances security and streamlines processes, there are risks that must be managed:
| Risk | Description | Mitigation |
|---|---|---|
| PDPA Compliance | Sending personal data to DOPA without consent | Obtain consent before every request + maintain consent log + clearly state the purpose |
| Data Minimization | Retrieving more data from DOPA than necessary | Request only the data you need — e.g., if only verifying identity, do not request the address |
| API Downtime | DOPA API goes down, preventing identity verification | Implement fallback mechanism — e.g., use OTP temporarily + retry queue |
| False Rejection | Face Verification rejects a real person (e.g., facial changes due to aging) | Implement manual override process by senior staff + record in audit log |
| Data Breach | Data sent to/from DOPA is intercepted | Enforce TLS 1.3 + do not store biometric data on the ERP side + encrypt at rest |
Comparison: DOPA e-KYC vs NDID vs Private ID
Thailand has multiple digital identity verification systems — each with distinct strengths:
| Criteria | DOPA e-KYC | NDID | Private ID (Commercial) |
|---|---|---|---|
| Provider | Department of Provincial Administration (government) | National Digital ID Co., Ltd. (quasi-government) | Private companies (e.g., LINE, TrueMoney) |
| Database | Civil registration (covers every Thai citizen) | Connected to multiple sources (banks, telecoms) | Own customer database |
| Cost | Low (government pricing) | Moderate | Varies |
| Maximum IAL Level | IAL 2.3 (via ThaiD) | IAL 2.3 | IAL 1-2 (depends on provider) |
| Best For | Government agencies, government ERP systems | Financial institutions, insurance companies | Commercial apps, e-Commerce |
| Face Verification Support | Supported | Supported (via IdP) | Some providers support it |
| Key Advantage | Direct connection to civil registration — covers every Thai citizen | Federated Identity — uses identities from multiple sources | Easy, fast, no government authorization required |
Saeree ERP + e-KYC
Saeree ERP supports ThaiD Login — Users can choose to log in with ThaiD instead of entering a password (read more at What Is ThaiD — Identity Verification with ThaiD in Saeree ERP)
Developing additional e-KYC Integration — Saeree ERP is currently developing DOPA API integration for use cases beyond login, such as vendor verification, HR onboarding, and e-Signature verification — to provide complete digital identity verification across all critical transactions in the ERP system.
e-KYC is not just about login — it is the foundation of trust in every digital transaction within an organization, from vendor registration to disbursement approval and contract signing.
- Paitoon Butri, Network & Server Security Specialist, Grand Linux Solution Co., Ltd.
Summary — e-KYC Is the Digital Infrastructure of Modern ERP
| Topic | Summary |
|---|---|
| What Is e-KYC | Digital identity verification — replacing paper-based ID card copies |
| DOPA API | Identity verification system by the Department of Provincial Administration with 3 levels (Card / Face / ThaiD) |
| IAL / AAL | Standards measuring the assurance level of identity proofing (IAL) and authentication (AAL) |
| ERP Use Cases | Vendor verification, e-Signature, HR onboarding, ghost employee prevention, contract signing |
| Saeree ERP | Supports ThaiD Login + developing additional e-KYC integration |
| Key Considerations | Must obtain consent (PDPA), apply data minimization, have fallback when API is down |
If your organization needs an ERP system that supports Digital ID and comprehensive e-KYC — from ThaiD Login to vendor verification and e-Signature, you can schedule a demo or contact the Saeree ERP consulting team today. Read more about Saeree ERP's security features and the 2FA system.
