1. The Online Criminal Harms Act (OCHA) was passed by Parliament on 5 July 2023 and introduced the following measures:
(a) Directions to online services to restrict the exposure of Singapore users to criminal activities on their platforms;
(b) Orders to limit further exposure to the criminal activities being conducted on the platforms of non-compliant online services;
(c) Powers to require information to administer the Act and facilitate investigations and criminal proceedings; and
(d) Codes of practice and implementation directives to strengthen partnership with online services to counter scams and malicious cyber activities.
2. The provisions for (a) to (c) came into effect on 1 February 2024. The provision for (d) will come into effect on 24 June 2024.
Codes of Practice
3. OCHA creates a framework to strengthen the Government’s partnership with online services to counter scams and malicious cyber activities. Under this framework, the Competent Authority, sited within the Singapore Police Force, can issue Code(s) of Practice (COP) to require providers of designated online services to put in place appropriate systems, processes or measures to proactively disrupt scams and malicious cyber activities affecting people in Singapore.
4. The Competent Authority will issue two COPs, one for Online Communication Services (“Online Communication Code”) and another for E-Commerce Services (“E-Commerce Code”). These COPs will take effect on 26 June 2024.
Code of Practice for Online Communication Services
5. The Online Communication Code is applicable to the following online communication services that will be designated on 26 June 2024. These online services present the highest risk of scams to Singapore users.
(a) Facebook
(b) WhatsApp
(c) Instagram
(d) Telegram
(e) WeChat
6. Under the Online Communication Code, providers of the designated online services must implement appropriate systems, processes or measures to achieve the following:
(a) Objective 1 – Quick Disruption of Malicious Accounts and Activities
Requirements include proactively detecting and taking necessary action(s) against suspected scams and malicious cyber activities, and implementing a fast-track channel to facilitate the receipt of reports on scams and malicious cyber activities from relevant law enforcement agencies and to act on them expeditiously
(b) Objective 2 - Deployment of Safeguards to Prevent Propagation of Malicious Activities
Requirements include having reasonable verification measures to prevent the creation and usage of inauthentic accounts or bots for scams and malicious cyber activities and requiring holders of online accounts to have strong login verification.
(c) Objective 3 – Accountability
Providers of designated online services must submit an annual report on the implementation of the systems, processes and measures to meet Objectives 1 and 2.
Code of Practice for E-Commerce Services
7. The E-Commerce Code is applicable to the following online services that will be designated on 26 June 2024. These online services facilitate e-commerce activities and pose the highest risks of e-commerce scams among other services in Singapore.
(a) Carousell
(b) Facebook Marketplace
(c) Facebook Advertisements
(d) Facebook Pages
8. The E-Commerce Code has the same requirements in the Online Communication Code, with two additional requirements. These additional requirements are based on what MHA assesses to be more critical in protecting Singapore end-users from e-commerce scams:
(a) Subject users who advertise or post about the sales of goods and/or services, or those who intend to do so, to verification against Government-issued records; and
(b) Provide, as an option for users, payment protection mechanisms that require delivery of goods or services to be verified, before payment is released to the sellers.
Timeline
9. Online Communication Code. Providers of the designated online services in respect of the Online Communication Code will be required to implement the appropriate systems, processes or measures to comply with the COP by 31 Dec 2024.
10. E-Commerce Code. MHA will adopt a risk-calibrated and outcome-based approach, for the implementation of the E-Commerce Code:
(a) We will prioritise the implementation of the user verification requirement (para 8a), which we assess to be the most critical to curb scams. We will allow the designated online services to only apply the user verification requirements on those they identify to be risky (“risky sellers”) for a start. Should the e-commerce scam situation fail to improve, we will then require the services to expand the coverage of the verification requirements, such that more users need to have their identity verified. The timelines are as follows:
(i) Carousell. Between 1 Jul and 31 Dec 2024, MHA will assess the effectiveness of Carousell’s measures to verify the identity of risky sellers. If the number of e-commerce scams reported on Carousell does not drop significantly, MHA will require Carousell to verify the identity of all sellers by 1 Apr 2025.
(ii) Facebook.
1. Marketplace. Between 1 Jun and 30 Nov 2024, MHA will assess the effectiveness of Facebook’s measures to verify the identity of risky sellers on Marketplace. If the number of e-commerce scams reported on Marketplace does not drop significantly, MHA will require Facebook to verify the identity of all Marketplace sellers by 1 Mar 2025.
2. Advertisements. Between 1 Jul and 31 Dec 2024, MHA will assess the effectiveness of Facebook’s measures to verify the identity of risky advertisers. If the number of scam reports arising from advertisements on Facebook does not drop significantly, MHA will require Facebook to verify the identity of all advertisers by 1 Apr 2025.
3. Pages. MHA will waive the two additional requirements under the E-Commerce Code (in para 8a and 8b) for Facebook Pages for now. This is to allow Facebook to prioritise implementing user verification for Marketplace and Advertisements this year.
(b) As for the requirement on payment protection mechanisms (in para 8b), we will similarly adopt a risk-calibrated and outcome-based approach. Specifically, we will assess the need for this requirement based on the effectiveness of the user verification measures that the designated online services are putting in place to reduce the number of e-commerce scams. We will waive this requirement for now, to allow the services to prioritise implementing the necessary processes to comply with the user verification requirement, and reassess this in 2025.
(c) For the other requirements in the E-Commerce Code, providers of the designated online services in respect of the E-Commerce Code will be required to comply with them by 31 Dec 2024.
11. MHA will review the list of designated online services regularly based on the prevailing scams situation.
Rectification Notice
13. Should the Competent Authority assess that a provider of a designated online service has not complied with any part of the Code(s) of Practice applicable to it, a Rectification Notice may be issued to the provider to correct the non-compliance by a specified time. Failure to rectify is a criminal offence.
Implementation Directive
14. The Competent Authority may also issue Implementation Directives to the provider of any designated online service to implement a specific system, process or measure to address the risk of scams or malicious cyber activities.
Conclusion
15. Tackling online criminal harms requires a collaborative effort between the Government, citizens and industry stakeholders. The Government will continue to work with the industry to try to minimise criminal activities in the online space from affecting Singapore users.