Introduction
The Online Criminal Harms Act 2023 (the Act) was introduced in 2023 to combat criminal activity on online platforms, such as scams and malicious cyber activities (see our previous alert dated 16 May 2023). Pursuant to the Act, the Singapore Police Force has introduced a code of practice for online communications services (the Online Communication Code) and another for e-commerce services (the E-Commerce Code). These take effect from 26 June 2024 and must be complied with by 31 December 2024, subject to certain exceptions for the E-Commerce Code as set out below.
Affected services
The Online Communication Code will apply to the online communication services Facebook, WhatsApp, Instagram, Telegram and WeChat. These services were designated as they were assessed to “present the highest risk of scams to Singapore users”.
The E-Commerce Code will apply to e-commerce services Carousell, Facebook Marketplace, Facebook Advertisements and Facebook Pages. These services were designated as they pose the highest risk of e-commerce scams among e-commerce services in Singapore, accounting for over 70% of e-commerce scams in 2023.
Objectives and measures
The Online Communication Code and E-Commerce Code share three objectives that are achieved by the following measures:
1. Quick disruption of malicious accounts and activities through measures including:
a. Proactive detection and action
b. An easily accessible reporting mechanism for Singapore end-users that is responded to promptly
c. Retention of data relating to scams and malicious cyber activities
d. Enhanced cooperation with law enforcement agencies
2. Deployment of safeguards to prevent propagation of malicious activities through measures including:
a. Reasonable verification measures to prevent the creation and usage of accounts for scams and malicious cyber activities
b. Additional verification procedures on accounts with suspicious conduct or activity detected
c. Strong login verification features for account holders
d. An optional “verified” designation for accounts, which is presented to end-users as more likely to be authentic and requiring account holders to satisfy stronger verification measures
3. Accountability via an annual report on the implementation of measures and efforts to counter and prevent scams and malicious cyber activities in accordance with objectives 1 and 2 above
In addition to measures 2a-2d above, the E-Commerce Code requires designated e-commerce services to implement two additional safeguards:
i. Users who advertise or post about the sales of goods and/or services, or those who intend to do so, must be verified against government-issued records such as SingPass (the Additional Verification Requirement).
ii. Users must be provided the option to use payment protection mechanisms which require the delivery of goods or services to be verified before payment is released to sellers (the Payment Protection Requirement).
For now, designated e-commerce services only have to implement the Additional Verification Requirement for users identified as “risky sellers”. The Singapore Ministry of Home Affairs (MHA) will assess the effectiveness of measures taken to verify the identity of risky sellers until 30 November (for measures taken by Facebook Marketplace) or 31 December 2024 (for measures taken by Facebook Advertisements and Carousell). MHA will require services with no significant drop in reported e-commerce scams to verify the identity of all users by early 2025.
MHA has waived the Additional Verification Requirement for Facebook Pages to prioritise implementation of the requirement for Facebook Marketplace and Facebook Advertisements. MHA has also waived the Payment Protection Requirement for all designated e-commerce services as part of a “risk-calibrated and outcome-based approach” to the prevention of scams and malicious cyber activities. MHA will reassess the implementation of the Payment Protection Requirement in 2025 after the Additional Verification Requirement is implemented. The authorities are expected to continue this risk-calibrated and outcome-based approach for future regulatory changes to combat the latest scams and malicious cyber activities.
Conclusion
The introduction of the codes of practice shows the intent of the authorities in stamping out scams and malicious cyber activities on platforms used to reach potential victims. As the Payment Protection Requirement will be implemented in 2025, designated services should start preparing for compliance with this requirement, alongside the other measures currently in place.
Our technology lawyers are experienced and highly familiar with the sector’s latest developments. If you wish to discuss any aspects of this alert, please reach out to our team below or your usual Reed Smith contact.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2024-143