Telecoms and online fraud have soared in recent years. Responding to this grim and complex trend, the Ministry of Public Security has launched various campaigns from 2021 to 2022, cracking down on 394,000 telecoms and online fraud cases, and arresting 634,000 suspects.
In 2021 alone, the National Anti-Fraud Centre urgently stopped payments involving more than RMB320 billion (USD46.4 billion), blocked 1.55 billion scam calls and protected more than 28 million unsuspecting victims from fraud attempts.
Meeting an urgent need to combat telecoms and online fraud, the Anti-Telecom and Network Fraud Law was promptly enacted under the guiding principle of precise and flexible legislation on topical issues of public concern.
Significantly, the law features institutional obligation for industry players to act, and the general subjects’ obligation of omission, providing a compliance paradigm for internal control and governance in related industries.
Reflecting the necessity of achieving “anti-fraud compliance” as soon as possible in relevant industries, a Beijing-based company was fined more than RMB64 million on 22 November 2022 for failing to implement relevant requirements to forestall telecoms fraud risks and other illegal activities, the biggest fine in the third-party payment industry disclosed by the People’s Bank of China last year.
The security and stability of the financial, telecoms and internet industries, which are crucial to daily lives, are an important part of safeguarding public well-being.
In April 2022, the Opinions on Strengthening the Work of Cracking Down on Telecoms and Online Fraud Offences stepped up the fight against telecoms and online fraud. In particular, the opinions emphasised the need to strengthen industry supervision and establish sound systems of security assessment and access.
Clearly, unlike previous judicial interpretations, the scope of the objectives of the Anti-Telecom and Network Fraud Law is expanded from “people who intend to commit a crime” to those who have a law-abiding obligation. By creating universal obligations enabling extensive protection, criminal legislation shows a significantly active trend.
The second, third and fourth chapters of the Anti-Telecom and Network Fraud Law summarise a series of “compliance” obligations of telecoms operators, banking institutions, non-bank payment organisations and internet service providers. These cover prevention, supervision and handling, with administrative penalties to ensure fulfilment of such obligations.
For the relevant industries, the law specifies security obligations to help combat telecoms and online fraud, including creating fraud prevention mechanisms, implementing risk management measures, and reporting and assisting in the handling of suspicious activity.
The law – setting out statutory obligations at the level of “state regulation” – is based on the perspective of front-end prevention and comprehensive management, and violation of the obligation constitutes an illegal act or even a crime of omission.
Especially for the emerging internet industry, the obligations of internet platforms have been clarified and standardised with the Cybersecurity Law, Data Security Law and Personal Information Protection Law, gradually implemented in recent years. Through real-name verification, monitoring abnormality, tracing and risk feedback, the obligations aim to eradicate the sources of telecoms and online fraud.
Taking into account updates of relevant legal provisions, it is anticipated that the crime of refusing to perform the obligation of information network security management, set out in article 286 of the Criminal Law, will likely be activated and become a new point of criminal compliance risk.
It is found in judicial practice that some fully fledged black and grey industrial chains have gradually taken shape for brushing scams, running points, and card and account maintenance, providing a steady stream of nutrients for related cybercrime activities.
The Anti-Telecom and Network Fraud Law indicates a general trend of legislation to stimulate the regulatory initiative of relevant industries by clarifying compliance obligations, so as to co-ordinate forces and resources of multiple governance bodies to combat crimes.
When providing technical services or fund settlement and payment services, industry players – depending on closeness of subjective complicity, objective behaviour, harmful consequences and causality – are exposed to the risk of becoming an accomplice in such crimes as helping information network-related criminal activities, covering up criminal proceeds, money laundering, infringing citizens’ personal information, and even fraud.
Article 7 of the Anti-Telecom and Network Fraud Law provides that any matters not covered in this law shall be subject to the Cybersecurity Law, Data Security Law and Personal Information Protection Law.
Compared with traditional crime, assisting cybercrime plays an indispensable role in the completion of a crime. In a case-wide assessment, such help may even render greater social harm than the act of perpetrating. As a result, recent legislation has expanded the boundary of penalties for “technology-neutral” assistance.
In the crime of assisting information network crime, identification of the helper’s knowingness of crime has gradually changed to presumption. The examination obligation was created and the degree of examination was deepened in the previous judicial interpretations to expand the coverage of crackdown on the crime.
Importantly, it is affirmed that the helper’s crime can still be established even when it cannot be verified whether the assisted has committed a crime, or when they have not been captured, or a court order not awarded. Articles 25 and 31 of the Law Combating Telecom and Online Fraud have set out explicit prohibitions against general subjects’ act of helping, and article 38 provides guidance on independent incrimination of helpers.
The telecoms, financial and internet industries are characterised by large scale, complex structure and extensive audience, prone to exploitation for illegal and criminal activities. Players in relevant industries should be especially vigilant about criminal compliance risks in doing business, especially in sensitive links such as advertising, payment, data and information dissemination, and account opening.
Industry players should strictly abide by relevant laws and regulations, and establish pre-event, real-time and after-event compliance policies and handling strategies to avoid the risk of technical service links being identified as an act of assisting a crime.