Carousell, Facebook Marketplace and other companies must implement measures to “actively disrupt” fraud from June 26, 2024 – Mothership.SG

Service providers such as Facebook, Instagram, WhatsApp, Telegram, WeChat and Carousell will be required to implement “appropriate systems, processes or measures to proactively disrupt” fraud and malicious cyber activities affecting Singapore users from June 24. 2024.

The competent authority within the Singapore Police Force will be able to issue Codes of Conduct (COP), which form part of the framework established under the Online Crime Harms Act (OCHA).

The framework aims to “strengthen the government’s partnership with internet services to combat fraud and malicious activities in cyberspace,” the Ministry of Home Affairs (MHA) said in a press release on June 21.

Earlier in April 2024, Facebook Marketplace and Carousell received the lowest ratings among the six major e-commerce marketplaces in the 2024 edition of the Inter-Agency Commission on Fraud’s E-Commerce Transaction Security Assessment.

According to MHA, this is because both platforms have only implemented “some” key security features, which include measures to verify seller authenticity and monitor fraudulent seller behavior.

Facebook Marketplace was also the platform used in almost half of e-commerce frauds reported in 2023.

The COPs will enter into force on June 26, 2024

According to the MHA, the competent authority will issue two COPs, one for online communication services (Online Communication Code) and the other for e-commerce services (E-Commerce Code).

These COPs will enter into force on June 26.

Internet Communication Code

According to the MHA, the Online Communications Code applies to five online communication services that “pose the highest risk of fraud for Singapore users.”

These online services, namely Facebook, WhatsApp, Instagram, Telegram and WeChat, will be designated on June 26.

According to the Online Communications Code, these service providers “must implement appropriate systems, processes or measures” to achieve three goals: rapidly disrupting malicious accounts and activities, implementing safeguards to prevent the spread of malicious activity, and achieving accountability.

Requirements to achieve these goals include proactively detecting and taking necessary action against suspected fraud and having “reasonable verification measures” to prevent, among other things, the creation and use of inauthentic accounts or bots for fraud.

Providers of designated online services will be required to implement appropriate systems, processes or measures to ensure compliance with the COP by December 31, 2024.

Electronic Commerce Code

According to the MHA, the e-commerce code applies to four online services that “facilitate the ease of doing e-commerce business and have the highest e-commerce fraud risk among other services in Singapore.”

These online properties, namely Carousell, Facebook Marketplace, Facebook Ads and Facebook Pages, will also be designated on June 26.

In addition to the requirements under the Internet Communications Code, the Electronic Commerce Code includes two more requirements regarding user verification and payment protection mechanisms.

These additional requirements “are based on what the MHA considers more important in protecting Singapore’s end-users from e-commerce fraud,” the ministry said.

Implementation schedule

To implement the E-Commerce Code, the MHA will adopt a “risk-calibrated, outcomes-based approach” by prioritizing implementation of the user verification requirement.

This is because the ministry rated this measure as “the most important in reducing fraud”.

“To start with, we will only allow designated online services to apply user verification requirements to those they deem risky. If the e-commerce fraud situation does not improve, we will require these services to expand the scope of verification requirements so that more users need to verify their identity,” the MHA said.

Implementation of user verification requirements

The time frames of individual providers of these services also vary.

For example, in the case of Carousell, the MHA will assess the effectiveness of its measures to verify the identity of risky sellers in the period from July 1 to December 31, 2024.

If the number of e-commerce frauds reported on Carousell does not decline “significantly,” the MHA will require Carousell to verify the identity of all sellers by April 1, 2025.

Similarly, MHA will conduct the same assessment on Facebook Marketplace from June 1 to November 30, 2024.

The MHA will require Facebook to verify the identity of all Marketplace sellers by March 1, 2025 if the number of e-commerce frauds reported on the platform does not decline “significantly.”

Implementation of payment protection mechanisms

The MHA said it will also adopt a risk-calibrated and performance-based approach to implementing the requirement for payment protection mechanisms.

The ministry will assess the need for this requirement “based on the effectiveness of the user verification measures that designated online services implement to reduce e-commerce fraud.”

For now, the MHA will waive this requirement “to enable the service to prioritize implementing the necessary processes to meet the user verification requirement” and “reassess this in 2025.”

Implementing other requirements

For the remaining requirements of the E-Commerce Code, designated ISPs must comply by December 31, 2024.

The MHA added that it will “regularly” review the list of these services based on the prevailing fraud cases.

More information on both COPs can be found here.

Other anti-fraud measures

A correction notice may be issued to a provider of designated online services if the competent authority assesses that the provider does not comply with any part of the COPs that apply to it.

The notice will require the supplier to remedy the non-compliance within a specified period.

Failure to rectify is a crime.

In addition, the competent authority may also issue implementing directives to the provider of any designated online service to implement “a specified system, process or measure to prevent the risk of fraud or malicious cyber activities”.

More information about OCHA can be found here.