Framework in Online Criminal Harms Act 2023 for codes of practice and directives to counter scams and malicious cyber activities in force : Allen & Gledhill

26 July 2024

The Online Criminal Harms Act 2023 (“OCHA”) has come into force, enabling authorities in Singapore to deal more effectively with online activities that are criminal in nature. The provisions of the OCHA came into operation in two phases. Features introduced by the OCHA include:

(a) Directions to online services to restrict the exposure of Singapore users to criminal activities on their platforms;

(b) Orders to limit further exposure to the criminal activities being conducted on the platforms of non-compliant online services;

(d) Codes of practice (“COPs”) and directives to strengthen partnership with online services to counter scams and malicious cyber activities.

The provisions for (a) to (c) came into effect on 1 February 2024, while the provisions for (d) came into effect on 24 June 2024. This alert focuses on the provisions of the OCHA that came into force on 24 June 2024. For more information about the provisions that came into force on 1 February 2024, please see our article “Online Criminal Harms Act 2023 enabling authorities to deal more effectively with criminal online activities partially in force on 1 February 2024”.

COPs

To counter scams and malicious cyber activities, the OCHA creates a framework allowing the competent authority, sited within the Singapore Police Force (“Competent Authority”), to issue COPs to require providers of designated online services to put in place appropriate systems, processes, and measures to proactively disrupt scams and malicious cyber activities affecting people in Singapore.

The Competent Authority has issued two COPs which took effect on 26 June 2024:

Code of Practice for Online Communication Services (“Online Communication Code”)
Code of Practice for E-Commerce Services (“E-Commerce Code”).

The list of designated online services and e-commerce services may be accessed from the Singapore Police Force’s website.

Online Communication Code

The Online Communication Code applies to the designated online services which are identified to present the highest risk of scams to Singapore users. Providers of the designated online services must implement appropriate systems, processes, or measures to achieve the following objectives by 31 December 2024:

Quick disruption of malicious accounts and activities: Proactively detect and promptly take all necessary actions against suspected scams and malicious cyber activities, and implement a fast-track channel to facilitate the receipt of reports on scams and malicious cyber activities from relevant law enforcement agencies and to act on them promptly.
Deployment of safeguards to prevent propagation of malicious activities: Ensure reasonable verification measures are put in place to prevent the creation and usage of accounts, including compromised, inauthentic, or bot-controlled accounts, for scams and malicious cyber activities, and require holders of online accounts to have strong login verification.
Accountability: Submit to the Competent Authority an annual report on the implementation of the systems, processes, and measures to meet the two objectives above.

E-Commerce Code

The E-Commerce Code applies to the designated e-commerce services which are identified to pose the highest risks of e-commerce scams among other services in Singapore. The E-Commerce Code imposes on providers of the designated e-commerce services the same requirements as those in the Online Communication Code, with the following two additional requirements aimed at protecting Singapore end-users from e-commerce scams:

User verification requirement: Subject users who advertise or post about the sales of goods and/or services, or those who intend to do so, to verification against Government-issued records; and
Payment protection mechanisms: Provide, as an option for users, payment protection mechanisms that require delivery of goods or services to be verified, before payment is released to the sellers.

The Ministry of Home Affairs (“MHA”) will adopt a risk-calibrated and outcome-based approach for the implementation of the E-Commerce Code. Aside from the two additional requirements, the other requirements in the E-Commerce Code are to be met by 31 December 2024.

For the two additional requirements, MHA will prioritise the implementation of the user verification requirement outlined above with specified timelines for the providers of the designated e-commerce services. For a start, MHA will allow the designated e-commerce services to apply the user verification requirements only on users who are identified to be risky (risky sellers). Should the e-commerce scam situation fail to improve, MHA will then require the services to expand the coverage of the verification requirements, such that more users need to have their identity verified.

MHA will assess the need for the requirement on payment protection mechanisms depending on the effectiveness of the user verification measures that the designated online services put in place to reduce the number of e-commerce scams. Hence, MHA will waive the requirement on payment protection mechanisms for now and reassess the situation in 2025.

Rectification Notice and Implementation Directive

Where the Competent Authority assesses that a provider of a designated online service has not complied with any part of the COPs applicable to it, a Rectification Notice may be issued to the provider to correct the non-compliance. Failure to rectify will constitute a criminal offence.

The Competent Authority may also issue an Implementation Directive to the provider of any designated online service to implement a specific system, process, or measure to address the risk of scams or malicious cyber activities.

Reference materials

The following materials are available from the MHA website www.mha.gov.sg and Singapore Statutes Online sso.agc.gov.sg: