Previously, the CDSA and CMA set a higher threshold of actual knowledge for an accused to be prosecuted by the authorities. A CDSA offence was only made out if the accused knew or had reasonable grounds to believe that they were facilitating others to benefit from criminal conduct. Meanwhile, a CMA offence was only made out if the accused knowingly disclosed account credentials for wrongful gain or unlawful purposes, or knew that such disclosure would be likely to cause wrongful loss.
Ignorance was a convenient excuse for the accused, since the authorities had to prove beyond reasonable doubt that the accused knowingly committed the alleged offences. This was one of the reasons why less than 8% of suspected money mules involved in a series of phishing scams targeting a Singapore bank’s customers could be charged in court. The limited prosecution contrasts with the substantial losses of around S$14 million suffered by hundreds of bank customers.
Also, the authorities could only react to the consequences of online criminal activities. For example, if a website gave rise to a reasonable suspicion that it was being used to con people into an investment scam, the authorities could only take action if someone did suffer losses to the scam and reported the website to the authorities. Since it is relatively easy to create and disseminate scam content online, such delays in taking action put more people at risk, which the OCHA amendments seek to overcome.
The CDSA amendments build on the “negligent” and “rash” concepts in the Penal Code 1871, requiring lower culpability for prosecution compared to the previous threshold of actual knowledge. A money mule will be liable for negligent money laundering if they conducted a transaction despite red flags or suspicious indicators being noticeable by an ordinary, reasonable person. Rash money laundering has higher culpability and a money mule will be liable if they conducted a transaction despite having suspicions about the transaction, and did not make further enquiries to address those suspicions.
Negligent money laundering is punishable with a fine of up to S$150,000 and/or three years’ imprisonment, while rash money laundering is punishable with a fine of up to S$250,000 and/or five years’ imprisonment. Where persons did not know and did not have reason to believe that they were operating as money mules, the CDSA amendments now shift the burden onto them to prove the defence.
The CMA amendments introduce an offence for those who deliberately disclose their Singpass credentials which are then used to facilitate crime, and another offence for those who obtain or deal in Singpass credentials to facilitate crime. Those who deliberately disclose their Singpass credentials will be presumed to have committed an offence if they received any gain from the disclosure, knew the disclosure would likely cause wrongful loss to someone, or did not take reasonable steps to find out the identity and physical location of the person to whom they disclosed their credentials. The burden is now shifted onto them to rebut the presumption.
The two CMA offences are punishable with a fine of up to S$10,000 and/or three years’ imprisonment for first-time offenders. Where persons do not know or do not have reason to believe their credentials will be used to commit an offence, they will not be held liable. This accommodates older residents, who may share their Singpass credentials with family members to get help accessing important e-services.
The proposed OCHA
The OCHA allows government directions to be issued once there is a reasonable suspicion that an online activity is being carried out to commit certain crimes that affect national security, national harmony or individual safety. These include the CDSA and CMA offences above, as well as offences relating to guns, unlawful gambling, terrorism and more. The lower threshold of reasonable suspicion helps the authorities take pre-emptive actions to prevent online criminal activity, instead of reacting to the consequences.
There are five government directions that can be issued under the OCHA:
- The Stop Communication Direction requires the recipient to stop communicating specified online content.
- The Disabling Direction requires online service providers to disable specified content on their service from the view of Singapore residents.
- The Account Restriction Direction requires online service providers to stop an account from communicating in Singapore and/or interacting with Singapore residents.
- The Access Blocking Direction requires internet service providers to block Singapore residents from accessing an online location such as a web domain.
- The App Removal Direction requires app stores to remove an app so that Singapore residents cannot download it.
The CDSA and CMA amendments also contain forward-looking provisions that are designed to deter new types of scams in the future. Section 55A(7) of the CDSA will adopt the Payment Services Act 2019 definition of payment accounts. This definition covers new payment gateways like e-wallets that scammers may exploit. Section 13 of the CMA will give Singapore courts jurisdiction over the new CMA offences when committed outside Singapore. Extra-territoriality deters overseas scam syndicates from targeting Singapore residents and underscores the importance of Singpass’ security in providing a national digital identity service.
The OCHA also provides for codes of practice, rectification notices and implementation directives, which establish a framework for designated online services to disrupt online criminal activities. This framework guides designated online services in implementing systems, processes and measures that support the authorities’ proactive enforcement against online criminal activities. While details are still pending, the OCHA could take a similar approach to the Broadcasting Act 2019, where social media services were tasked to implement user reporting tools and accountability initiatives for specific types of high-risk content. The framework is prescient as certain online services have greater risks which the authorities cannot address single-handedly.
These legal deterrents complement other initiatives to prevent scams, including educational outreach and more stringent verification requirements for corporates operating in the online space. While various stakeholders could face increasing regulatory overhead, it is critical to enhance security and build trust in today’s digital landscape.
Our recognised technology lawyers are experienced and highly familiar with the sector’s latest developments. If you wish to discuss any aspects of this alert, please reach out to our team below or to your usual Reed Smith contact.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2023-112