The Online Safety Act: Landmark legislation on online fraud

The Online Safety Act has received Royal Assent after a tumultuous passage through both Parliament and the court of public opinion. Given this is one of the first attempts to regulate the hitherto ‘wild west’ landscape of online content, this is perhaps not surprising.  

However, while many aspects of the Act were somewhat polarising, there was universal agreement that the significant role of the online realm in facilitating fraud must change. This is perhaps because the case for doing so is urgent; according to data collated by UK Finance, consumers lost over half a billion pounds to fraud in the first half of 2023, and 88% of identity frauds recorded to Cifas in the first nine months of 2023 came through online channels.   

To tackle this issue the new provisions in the Online Safety Act require ‘user-to-user’ platforms and search services to put in place ‘proportionate measures’ to protect users from encountering fraudulent material on their platforms. The measures have been long fought for by the counter-fraud community, given their potential to significantly undermine one of the primary vectors currently being used by fraudsters to reach UK citizens. At Cifas we campaigned for the introduction of the provisions into the Bill (now Act) and will be working to support the effectiveness of the legislation in practice through engagement with the regulator, Ofcom.  

While the Act is very welcome, we know that criminals are swift, agile and quick to adapt. For this reason, while significant, these measures need to move in concert with wider government efforts under its 2023 Fraud Strategy to turn the tide on online-enabled fraud. 

In the regulatory space, it is essential that the Online Advertising Programme moves swiftly to close remaining regulatory gaps, by introducing proportionate regulatory measures in the online advertising market, for those platforms not covered by the Online Safety Act. The government published its consultation response on online advertising in July 2023 and has committed to future legislation ‘when parliamentary time allows’. We look forward to supporting the government in taking this work forward and would urge them to do so swiftly. If they don’t, we may see criminals simply circumventing the new Online Safety Act controls by moving from the larger platforms to the smaller, to target victims by a different pathway.   

However, laws and regulatory measures will only go so far in reducing the scale and extent of abuse of the online realm by fraudsters. Beyond the law, it is essential that the social media and tech companies start to play a more active role in the counter-fraud community. In this regard, the government’s moves to negotiate a new counter-fraud 'Tech Charter'– a set of voluntary measures to complement the new laws – are welcome. To be effective, this Charter must prioritise some key areas.  

First, the lifeblood of the organised fraudster is data; whether login credentials to enable credit card fraud or personal data to enable the social engineering of victims, this data is traded freely amongst the criminal community on the dark web. It is essential that we are as agile in our use of data as the criminals.  

Currently many parts of the public and private sectors are sharing data to counter fraud, with appropriate safeguards, to great effect; at Cifas we see the positive impact of this on a daily basis. However, to be effective, data-sharing must be a collective effort; the missing piece of the data puzzle sits with the social media and tech companies.  

Second, those operating within the counter-fraud community recognise that it takes a network to beat a network; key to tackling the fraudsters is to ensure that all parts of the chain – from social media companies, to telecommunications firms and the banking sector – are sharing threat intelligence with each other and with law enforcement; these companies have a key role to play in building a clearer picture of the criminal landscape to enable collective action. We are working to engage the larger online platforms in the community and hope to make strides forward in collaboration in the future. 

Third, the Charter must capitalise on the strengths of a sector, which has at its heart the creation of technology solutions and communications tools. Using the reach of these sectors to take counter-fraud messaging to consumers could be game-changing; in effect turning them from part of the problem into a part of the solution. With the rise of AI and its ability to accelerate the epidemic of fraud to a hitherto unimaginable scale, we must engage this community and all it brings to build our collective defences. 

In sum, while the Online Safety Act is a welcome step forward in the fight against fraud, it should be viewed as a starting point in reducing the effect and impact of online-enabled fraud, rather than an end point.