Telecom and online fraud has grown rampant in China in the past decade. According to the Supreme People’s Court (SPC), scammers have defrauded victims of more than 35 billion RMB (~5 billion USD) in 2020 alone. In 2021, public security organs nationwide cracked over 394,000 cases of telecom and online fraud and arrested over 630,000 suspects. Meanwhile, the crime of aiding criminal activities on information networks (including telecom and online fraud) has become the third most-prosecuted crime in China, the Supreme People’s Procuratorate (SPP) recently disclosed.
At the same time, fraudsters continue to upgrade their tactics and operations. They take advantage of new technologies to reach more potential victims and to evade prosecution. Relying on leaked or stolen sensitive personal information, they also target susceptible victims with precision by impersonating police officers and other government officials or by exploiting the victim’s personal circumstances. As domestic crackdown intensifies, many scammers have moved their operations overseas to regions such as northern Myanmar, Cambodia, and Laos. According to the SPC, as of mid-2021, more than 60% of telecom- and online-fraud cases now originate from overseas “hotspots.”
Since 2020, national criminal justice authorities, telecom regulator, and the central bank have launched multiple joint operations to crack down on the illegal trade in SIM cards as well as bank cards and other payment accounts. The Ministry of Public Security (MPS) has also worked with immigration authorities to break up rings that smuggle people overseas to become scammers. In addition, the SPC, SPP, and MPS have released two joint opinions to clarify the application of related crimes and criminal procedural rules in telecom- and online-fraud cases.
The new Law Against Telecom and Online Fraud [反电信网络诈骗法], adopted by the NPC Standing Committee on September 2, is the latest official action to tackle such crimes. It supplements criminal statutes by prescribing administrative punishments for those who organize or otherwise directly participate in less serious cases of telecom and online fraud (art. 38, para. 2). The bulk of its provisions, however, focus on preventing such fraud from occurring in the first place. Below we take a close look at this new law.
Responsibilities of Service Providers
The Law imposes on key businesses in the telecom, financial, and internet sectors—telecom companies, banks and other payment service providers, and internet service providers—a range of responsibilities aimed at controlling and preventing risks of fraud.
Telecom sector. Telecom companies must “comprehensively implement” the real-name registration requirement for all telephone subscribers and enforce the maximum number of SIM cards allowed per customer under separate regulations (arts. 9–10). When the companies identify an “abnormal, fraud-related” SIM card, they may require reverification of the user’s identity, and may restrict or suspend the card if reverification fails (art. 11). In addition, telecom companies must accurately display the caller’s true number (including country and area codes) on the recipient’s caller ID display, and must block and trace spoofed calls (art. 13).
Internet sector. The Law reiterates the requirement that telecom companies and internet service providers (ISPs) verify users’ identities before they may provide a range of services, including internet access, proxy service, domain registration, web hosting, cloud service, content and software distribution, instant messaging, online payment, gaming, livestreaming, and advertising (art. 21). When discovering an “abnormal, fraud-related” account, ISPs must reverify the user’s identity (art. 22, para. 1). When requested by authorities, they must also do so for any internet account associated with a SIM card involved in a fraud case or with an abnormal, fraud-related SIM card (id. para. 2). Further, the Law imposes on telecom companies and ISPs a “duty of reasonable care” to monitor, identify, and address the use of their services to commit fraud (art. 25, para. 2).
Financial sector. Banking institutions and nonbank payment services bear responsibilities analogous to those discussed above. They must conduct due diligence on customers, identify the beneficial owners, and take corresponding risk management measures (art. 15). They must also establish mechanisms to monitor abnormal accounts and suspicious transactions and take appropriate preventive measures when discovering such an account or transaction (art. 18, para. 3). When carrying out such monitoring, banks and other payment services are expressly authorized by the Law to collect customers’ IP addresses, MAC addresses, point-of-sale terminal information, and other necessary transaction or device-location information (id. para. 4). Unless the customer consents, however, they must not use the information for any purpose other than to combat fraud (id.).
The service providers mentioned above also have the obligation to raise their customers’ awareness of telecom and online fraud, including by reminding them to guard against fraud during business transactions and by issuing prompt alerts of new tactics used by scammers in their respective sectors (art. 30).
Law Enforcement Obligations & Powers
Like service providers, all levels of government have a duty to raise citizens’ awareness of telecom and online fraud and their ability to identify scams (art. 8, para. 1). Education and civil affairs departments, among others, are specifically directed to launch education campaigns targeting the elderly (who are prone to fall victim to scams), teenagers (who are susceptible to recruitment by scammers), and other vulnerable groups (id. para. 2).
The Law requires the police to open a formal investigation whenever they are made aware of or discover any telecom and online fraud activity (art. 27, para. 2). In investigating such fraud cases, the police must also look into the source of any personal information being used (art. 29, para. 2). In addition, the police must work with financial, telecom, and cyber regulators, as well as service providers, to establish “a system of early warning and dissuasion” [预警劝阻系统] to identify potential victims and dissuade them from proceeding with the fraudulent transactions (art. 34).
With approval from the State Council’s inter-ministerial conference on cybercrime, the police as well as financial and telecom regulators may take “temporary risk control measures” against “specific regions with a high level of telecom and online fraud activities” (art. 35). The Law does not further elaborate what those measures could entail, however.
Lastly, the Law expressly authorizes procuratorates to file public interest lawsuits against conduct that harms the national interest or the public interest when performing anti-fraud work (art. 47). Some procuratorates have already done so in practice. In a 2021 case, for instance, a Zhejiang procuratorate filed a civil damages suit against six defendants, who were also being prosecuted for unlawfully collecting personal information, for harming the privacy rights of nonspecific citizens.
Fraud-Enabling Technologies & Activities
Next, the Law cracks down on the technologies and so-called “upstream offenses” without which telecom and online fraud would not have been able to flourish.
It prohibits any individual or organization from “unlawfully manufacturing, selling, buying, supplying, or using” any device or software that is used to commit telecom and online fraud, such as SIM boxes, technology that enables caller ID spoofing, automatic account-switching systems, and platforms that can send or receive SMS verification codes in bulk (art. 14). A prior draft of the Law would restrict only technologies that are “exclusively or primarily used” for fraud, but the final version deleted this limitation.
In addition, the Law broadly prohibits any conduct offering “support or assistance” to telecom and online fraud, including selling or supplying personal information and helping scammers launder money (including through cryptocurrency) (art. 25). Recognizing that scammers depend on using SIM cards, bank and other payment accounts, or internet accounts associated with third parties, the Law outlaws a range of activities concerning such cards and accounts, whether or not they are used for fraud, such as unlawful trade, assisting with real-name verification, and opening cards or accounts by impersonating others (art. 31, para. 1).
Violations of all these prohibitions will result in the confiscation of any unlawful gains, a fine, and when the violations are severe, concurrent administrative detention of up to 15 days (arts. 42, 44). Those that flout real-name registration rules (in addition to those convicted of telecom and online fraud or related crimes) will face additional legal consequences: the functions of their cards or accounts may be restricted, and they may be barred from conducting remote transactions or transacting new business (art. 31, para. 2).
Overseas Fraud Hotspots
Finally, the Law contains several provisions aimed at containing overseas scam operations that prey on domestic residents. Under its exterritoriality provision, authorities may pursue overseas organizations or individuals who commit telecom and online fraud against victims in mainland China, or who provide support to such scammers (art. 3, para. 2).
To curb the outflow of would-be scammers, immigration authorities may impose exit bans on those who travel to overseas hotspot regions and are strongly suspected of engaging in telecom and online fraud once abroad (art. 36, para. 1). (A prior draft of the Law would also apply the exit ban to anyone who travels overseas from domestic fraud hotspots, but the final text removed this clause.) In addition, the police may bar those convicted of telecom and online fraud from leaving the country for 6 months to 3 years after they have served their sentences (id. para. 2).
The MPS and the Ministry of Foreign Affairs are directed to strengthen cooperation with foreign and international law enforcement authorities over information exchange, investigation, apprehension of suspects, and recovery of stolen funds (art. 37).
The Law Against Telecom and Online Fraud will take effect on December 1, 2022.