On 12 May 2026, the Singapore Police Force's Anti-Scam Centre (ASC) reported the results of a two-month joint operation with five banks — DBS, UOB, OCBC, Standard Chartered and GXS. Between 1 March and 30 April 2026, officers and banks used Robotic Process Automation (RPA) to exchange flagged-transaction data in near real time, sent over 5,600 SMS alerts to customers identified as likely scam victims, disrupted more than 500 ongoing scams and averted over $37 million in losses, according to the SPF release.
This is not a one-off. It is the latest in a recurring quarterly cadence of operations that began with manual data exchange and has been progressively automated. The question for tech-policy watchers is not whether the program works — it plainly does — but whether the legal architecture underneath it has kept pace with what is now a standing, automated pipe between law enforcement and the banking system.
The case for the machine is strong
It is worth stating the strongest version of the government's argument before disagreeing with any of it. Scams are Singapore's dominant crime problem: police logged 41,974 scam and cybercrime cases in 2025, with victims losing $913.1 million — even after a welcome 24.8% year-on-year drop, per the SPF's annual brief. Many victims are mid-transfer when intervention is possible; minutes matter, and a human-paced production order is useless against a transaction that clears in seconds. RPA closes that gap. The same brief reports the Anti-Scam Command recovered over $117 million in non-crypto and $22 million in crypto proceeds and helped avoid at least $348 million in further losses in 2025. By any honest measure, automated upstream detection saves ordinary people real money.
That is exactly why the program deserves scrutiny rather than reflexive applause. Tools that work are the ones that get scaled, normalised and repurposed.
From targeted requests to standing data flows
Singapore's baseline rule is that banks may not disclose customer information: section 47 of the Banking Act 1970 makes confidentiality the default, breachable only through exceptions listed in its Third Schedule. Law enforcement's traditional key is section 20 of the Criminal Procedure Code 2010, which lets police issue a written production order for specific documents in a specific investigation. That model is individualised and auditable: one order, one subject, one paper trail.
Three developments have shifted the model from targeted requests toward continuous, bulk flows. First, the RPA operations themselves: instead of police asking a bank about a named account, banks and police now stream flagged-transaction patterns to each other automatically across thousands of customers. Second, the Protection from Scams Act 2025, passed on 7 January 2025 and in force from 1 July 2025, lets a police officer issue a Restriction Order freezing a person's transfers, ATM access and credit facilities on a reasonable belief that they are about to send money to a scammer — by default to all seven domestic systemically important banks. Third, the COSMIC platform created under the Financial Services and Markets (Amendment) Act 2023 lets banks share customer red-flag information with each other. Each is defensible alone. Together they describe a system in which a person's financial life can be read and frozen without that person, a court, or in some cases even a completed crime being involved.
Why bulk automation is a different problem
The Protection from Scams Act does carry safeguards: orders last 30 days, are renewable at most five times, are framed as a "last resort," and preserve access to funds for daily needs, as Rajah & Tann's analysis notes. But the appeal route runs to the Commissioner of Police — the same institution that issued the order — whose decision is final and does not pause the freeze. There is no independent or judicial check in the loop. For the RPA exchanges, there is no published figure for false positives among those 5,600 alerts, no statutory purpose-limitation tying the shared data strictly to scam disruption, and no requirement that the pipeline be audited by anyone outside the agencies operating it.
This is where the history of every successful surveillance tool should give pause. EFF's May 2026 documentation of automated licence-plate readers shows the pattern: infrastructure justified for serious crime drifts until agencies use it "for virtually any whim" — school residency checks, background screening, noise complaints. A real-time police-bank data channel built for scams is a general-purpose financial surveillance capability the moment a future statute points it at tax, drugs, or dissent. Function creep is not a hypothetical risk; it is the default trajectory of dual-use infrastructure absent hard limits.
Proportionate guardrails, not a pause
The pro-innovation answer is not to dismantle a program that demonstrably protects victims. It is to make the program's safeguards as automated and well-engineered as its detection. Three concrete measures would do most of the work: a published transparency report giving the volume of records exchanged, alerts sent, false-positive rate and Restriction Orders issued and reversed; statutory purpose limitation binding the RPA channel to scam disruption, so repurposing requires fresh legislation and debate; and an independent appeal tier — an ombudsman or a court — for Restriction Orders, rather than self-review by the issuing agency. Singapore has built the most effective anti-scam machinery in the region. The remaining task is to ensure its oversight is as world-class as its engineering, before the architecture is quietly turned to other ends.