Electronic Transactions (Certification Authority) Regulations 2010

Electronic Transactions Act 2010

(Sections 22, 36 and 38)

Electronic Transactions
(Certification Authority)
Regulations 2010

2025 REVISED EDITION

(2 June 2025)

[1 November 2010]

PART 1

PRELIMINARY

Citation

1. These Regulations are the Electronic Transactions (Certification Authority) Regulations 2010.

Definitions

2. In these Regulations —

“accreditation” means accreditation granted under these Regulations;

“accredited certification authority” means a certification authority that is accredited under these Regulations;

“accreditation mark” means an accreditation mark as set out in the Schedule;

“subscriber identity verification method” means the method used to verify and authenticate the identity of a subscriber;

“trusted person” means any person who has —

(a)	direct responsibilities for the day‑to‑day operations, security and performance of those business activities that are regulated under the Act or these Regulations in respect of a certification authority; or
(b)	duties directly involving the issuance, renewal, suspension, revocation of certificates (including the identification of any person requesting a certificate from an accredited certification authority), creation of private keys or administration of a certification authority’s computing facilities.

PART 2

ACCREDITATION OF CERTIFICATION AUTHORITIES

Application to be accredited certification authority

3.—(1) Every application to be an accredited certification authority must be made in the form and manner that the Controller may determine and must be supported by —

(a)	the certification practice statement of the certification authority;
(b)	an audit report prepared in accordance with regulations 23 and 34 for compliance with the Compliance Audit Checklist published on the Controller’s Internet website; and
(c)	any information that the Controller may require.

(2) Upon submitting an application for accreditation, the applicant must pay to the Controller an application fee of $1,000.

(3) The Controller must, in the form that the Controller may determine, notify the applicant as to whether the application is successful.

(4) Upon notification that the application is successful, the applicant must pay to the Controller an accreditation fee of $1,000 and, subject to regulation 5, the Controller must grant accreditation to the applicant as an accredited certification authority upon the payment.

(5) The accreditation is subject to any conditions or restrictions that the Controller may determine.

(6) The accreditation is valid for 2 years unless cancelled or suspended under the Act or these Regulations.

(7) The Controller must not refund any fee paid under this regulation if the application is unsuccessful, withdrawn or discontinued, or if the accreditation is cancelled or suspended.

Renewal of accreditation

4.—(1) Regulation 3 (with the exception of paragraph (2)) applies, with the necessary modifications, to an application for renewal of accreditation under this regulation as it applies to an application for accreditation under regulation 3.

(2) The Controller may allow applications for renewal of accreditation to be submitted in the form of electronic records subject to any requirements that the Controller may impose.

(3) If an accredited certification authority intends to renew its accreditation, the certification authority must submit an application for the renewal of its accreditation not later than 3 months before the expiry of its accreditation.

(4) If an application for renewal is made later than the time prescribed in paragraph (3), the application is deemed to be an application under regulation 3 and the application fee prescribed in regulation 3(2) is payable.

(5) If the certification authority does not intend to renew its accreditation, the certification authority must —

(a)	inform the Controller in writing not later than 3 months before the expiry of the accreditation;
(b)	inform all its subscribers in writing not later than 2 months before the expiry of the accreditation; and
(c)	advertise such intention in such daily newspapers and in such manner as the Controller may determine, not later than 2 months before the expiry of the accreditation.

PART 3

REFUSAL, CANCELLATION AND SUSPENSION OF ACCREDITATION

Refusal to grant or renew accreditation

5.—(1) The Controller may refuse to grant or renew an accreditation if —

(a)	the applicant has not complied with any requirement in the Act or these Regulations;
(b)	the applicant has not provided the Controller with any information relating to it or any person employed by or associated with it for the purposes of its business, and to any circumstances likely to affect its method of conducting business, that the Controller may require;
(c)	the applicant or its substantial shareholder is in the course of being wound up or liquidated;
(d)	a receiver or a receiver and manager has been appointed to the applicant or its substantial shareholder;
(e)	the applicant or its substantial shareholder has, whether in Singapore or elsewhere, entered into a compromise or scheme of arrangement with its creditors, being a compromise or scheme of arrangement that is still in operation;
(f)	the applicant or its substantial shareholder or any trusted person has been convicted, whether in Singapore or elsewhere, of an offence the conviction for which involved a finding that it, he or she acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these Regulations;
(g)	the Controller is not satisfied as to the qualifications or experience of the trusted person who is to perform duties in connection with the accreditation of the applicant;
(h)	the applicant fails to satisfy the Controller that it is a fit and proper person to be accredited or that all its trusted persons and substantial shareholders are fit and proper persons;
(i)	the Controller has reason to believe that the applicant may not be able to act in the best interest of its subscribers, customers or participants having regard to the reputation, character, financial integrity and reliability of the applicant or any of its substantial shareholders or trusted persons;
(j)	the Controller is not satisfied as to the financial standing of the applicant or its substantial shareholder;
(k)	the Controller is not satisfied as to the record of past performance or expertise of the applicant or its trusted person having regard to the nature of the business which the applicant may carry on in connection with the accreditation;
(l)	there are other circumstances which are likely to lead to the improper conduct of business by, or reflect discredit on the method of conducting the business of, the applicant or its substantial shareholder or any of the trusted persons; or
(m)	the Controller is of the opinion that it is in the interest of the public to do so.

(2) In paragraph (1), “substantial shareholder”, in relation to an applicant which is a company, has the meaning given by the Companies Act 1967.

Cancellation or suspension of accreditation

6.—(1) An accreditation is deemed to be cancelled if the certification authority is wound up.

(2) The Controller may cancel or suspend the accreditation of a certification authority —

(a)	on any ground on which the Controller may refuse to grant an accreditation under regulation 5;
(b)	if any information furnished in support of the application for the accreditation was false, misleading or inaccurate;
(c)	if the certification authority fails to undergo or pass an audit required under regulation 34;
(d)	if the certification authority fails to comply with a direction of the Controller made under section 23 of the Act;
(e)	if the certification authority is being or will be wound up;
(f)	if the certification authority has entered into any composition or arrangement with its creditors;
(g)	if the certification authority fails to carry on business for which it was accredited;
(h)	if the Controller has reason to believe that the certification authority or its trusted person has not performed its, his or her duties efficiently, honestly or fairly; or
(i)	if the certification authority fails to comply with any condition or restriction applicable in respect of the accreditation.

(3) The Controller may cancel the accreditation of a certification authority at the request of that certification authority.

(4) The Controller must not cancel the accreditation under paragraph (2) without first giving the certification authority an opportunity of being heard.

Inquiry into allegations of misconduct, etc.

7.—(1) The Controller may inquire into any allegation that a certification authority, or an officer or employee of a certification authority, is or has been guilty of any misconduct or is no longer fit to continue to remain accredited by reason of any other circumstances which have led, or are likely to lead, to the improper conduct of business by it or to reflect discredit on the method of conducting business.

(2) If, after inquiring into an allegation under paragraph (1), the Controller is of the opinion that the allegation is proved, the Controller may if he or she thinks fit —

(a)	cancel the accreditation of the certification authority;
(b)	suspend the accreditation of the certification authority for any period, or until the happening of any event, that the Controller may determine; or
(c)	reprimand the certification authority.

(3) The Controller must, at the hearing of an inquiry into an allegation under paragraph (1) against a certification authority, give the certification authority an opportunity of being heard.

(4) Where the Controller is satisfied, after making an inquiry into an allegation under paragraph (1), that the allegation has been made in bad faith or that it is otherwise frivolous or vexatious, the Controller may, by written order, require the person who made the allegation to pay any costs and expenses involved in the inquiry.

(5) The Controller may issue directions to the certification authority for compliance under section 23 of the Act as a result of making the inquiry.

(6) For the purposes of this regulation, “misconduct” means —

(a)	any failure to comply with the requirements of the Act or these Regulations or the certification practice statement of the certification authority concerned; and
(b)	any act or omission relating to the conduct of business of the certification authority concerned which is or is likely to be prejudicial to public interest.

Effect of cancellation or suspension of accreditation

8.—(1) A certification authority whose accreditation is cancelled or suspended under regulation 6 or 7 is deemed, for the purposes of the Act and these Regulations, not to be accredited from the date that the Controller cancels or suspends the accreditation, as the case may be.

(2) The cancellation or suspension of the accreditation of a certification authority does not operate so as to —

(a)	avoid or affect any agreement, transaction or arrangement entered into by the certification authority, whether the agreement, transaction or arrangement was entered into before or after the cancellation or suspension of the accreditation; or
(b)	affect any right, obligation or liability arising under any such agreement, transaction or arrangement.

Appeal to Minister

9.—(1) Where the Controller —

(a)	refuses to grant or renew an accreditation under regulation 5;
(b)	cancels or suspends an accreditation under regulation 6; or
(c)	cancels or suspends an accreditation, or reprimands a certification authority, under regulation 7,

any person who is aggrieved by the decision of the Controller may, within 14 days after the person is notified of the decision, appeal to the Minister and the decision of the Minister is final.

(2) If an appeal is made against a decision made by the Controller, the Controller may, if he or she thinks fit, defer the execution of the decision until the appeal has been decided by the Minister or the appeal is withdrawn.

(3) In considering whether to defer the execution of the decision, the Controller must have regard to whether the deferment is prejudicial to the interests of any subscriber of the certification authority or any other party who may be adversely affected.

(4) If an appeal is made to the Minister, a copy of the appeal must be lodged with the Controller.

PART 4

ACCREDITATION REQUIREMENTS

Business structure

10. An applicant for accreditation must be a company operating in Singapore at the time of the application and throughout the period when it is an accredited certification authority.

Personnel

11.—(1) An applicant for accreditation must, at the time of the application and throughout the period when the applicant is an accredited certification authority, take reasonable measures to ensure that every trusted person —

(a)

is a fit and proper person to carry out the duties assigned to him or her;

(b)

is not an undischarged bankrupt in Singapore or elsewhere, and has not made any composition or arrangement with his or her creditors; and

(c)

has not been convicted, whether in Singapore or elsewhere, of —

(i)	an offence the conviction for which involved a finding that he or she acted fraudulently or dishonestly; or
(ii)	an offence under the Act or these Regulations.

(2) Despite paragraph (1)(c), the Controller may allow the applicant or accredited certification authority to have a trusted person who has been convicted of an offence mentioned in that paragraph, if the Controller is satisfied that —

(a)

the trusted person is now a fit and proper person to carry out his or her duties; and

(b)

10 years have elapsed from —

(i)	the date of conviction; or
(ii)	the date of release from imprisonment if he or she was sentenced to a term of imprisonment,

whichever is the later.

(3) Every trusted person must —

(a)	have a good knowledge of the Act and these Regulations;
(b)	be trained in the certification authority’s certification practice statement; and
(c)	possess the relevant technical qualifications, expertise and experience to effectively carry out his or her duties.

Certification practice statement

12. An accredited certification authority must have and comply with a certification practice statement approved by the Controller.