We are the UK regulator for content, goods and services charged to a phone bill.

Code of Practice

This is the interactive version of the 15th Code of Practice which allows you to navigate the Code more easily.

We’ve also integrated relevant Guidance into the interactive Code. So, if for example you’re looking at the Transparency Standard, you’ll find relevant sections of the Guidance alongside the Standard. Look out for the yellow Guidance-tagged dropdowns. 

If you prefer, you can also download a copy of the Code in PDF format using the buttons below.


3. Regulatory Standards and Requirements

(i) Consumers

Standard

Organisations and individuals involved in the provision of PRS must always act with integrity and must not, in respect of any part of their provision of PRS, act in a way that brings or is likely to bring the PRS market into disrepute.

Requirements
3.1.1

PRS providers must act honestly at all times in all their interactions with consumers and the PSA.

3.1.2

PRS providers and associated individuals must not bring the PRS market into disrepute by being involved, whether knowingly or recklessly, in arrangements which breach any of the provisions of this Code.

3.1.3

All network operators, intermediary providers and merchant providers must act with integrity by:

  1. ensuring that regulation of PRS is satisfactorily maintained by:
    1. taking all reasonable steps in the context of their roles, including through the adoption and maintenance of internal arrangements, to ensure that the Standards and Requirements set out in Section 3 of this Code are complied with in respect of all PRS with which they are concerned;
    2. carrying out their own obligations under the Code promptly and effectively;
    3. taking all reasonable steps to prevent the evasion and/or undermining of PRS regulation; and
    4. taking all reasonable steps to ensure that consumer complaints are resolved quickly and fairly, and that any redress is provided quickly and easily.
  2. having regard to the funding provisions which are set out in Section 7 below and complying with any such provisions where so required.
3.1.4

PRS providers must not engage or otherwise permit the involvement in the provision of PRS of a PRS provider and/or associated individual in respect of whom a sanction has been imposed under paragraphs 5.8.5(f)–(h) below or any previous version of those provisions, so as to enable that person to operate in breach of that sanction.

Standard

Consumers must receive clear, complete and timely information so as to enable them to make fully informed decisions when purchasing phone-paid services.

The Transparency Standard aims to ensure that the entire phone-paid service from service promotion to service exit, including service proposition and cost, is clear and transparent, so that consumers can make fully informed decisions before any charge is incurred.

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid services providers (network operators, intermediary providers and merchant providers) can comply with the Transparency Standard and Requirements. This guidance provides more detail on:

  • promotion
  • point of purchase
  • use of service
  • receipting for mobile network customers
  • method of exit.

If you have any queries about the guidance or want to discuss your approach to compliance with the Transparency Standard please email us at compliance@psauthority.org.uk.

Requirements
Promotion
3.2.1

During any written, spoken or other form of promotion of a PRS, the cost of the service must be provided before any purchase is made. The cost of the PRS must be prominent, clear, legible, visible and proximate to the phone number, shortcode, button or other means by which a charge may be triggered.

3.2.2

Before making their purchase or incurring any charges, consumers must be fully and clearly informed of all information that would reasonably be likely to influence their decision to purchase, including:

  1. a clear description of what the service is and/or does;
  2. the cost and, where applicable, the frequency of charging;
  3. that the charge will be added to the consumer’s phone account (mobile or otherwise);
  4. the provider’s name (or brand if part of the name);
  5. the name of the service as registered with the PSA;
  6. the name and contact details of the provider responsible for customer care and complaints handling (either the intermediary provider or merchant provider); and
  7. any other key information including a full and clear description of any prizes or awards (where relevant).
3.2.3

All written information provided in accordance with paragraph 3.2.2 above must be accessible, legible and clearly presented.

3.2.4

Where the information provided in accordance with paragraph 3.2.2 above is spoken rather than written, it must be audible, clear and spoken at a pace that enables the consumer to understand fully all the information provided.

3.2.5

Merchant providers are responsible for ensuring that any third party contracted to carry out promotional activity on their behalf complies with all Standards and Requirements set out in this section of the Code that apply to such activity.

Merchant providers are responsible under the Code for the marketing of their services, including where they choose to use third party marketing partners.

Use of marketing partners can increase the risk of consumers seeing misleading promotions. This can be because there are often multiple parties involved in the process which can make it more difficult for the merchant to have control over the marketing practices that partners may employ. We recommend merchants have quality control processes in place (such as final editorial sign-off or contract clauses) to ensure any potentially misleading promotions are not published.

Merchant providers need to ensure in all circumstances, including where they are using third- party partners, that promotional material accurately describes the service being offered.

Merchant providers will need to ensure when they use third-party marketing partners that ultimate control over promotional material rests with the merchant. They need to be able to ensure that material that does not meet the requirements of the Code is not published or may be taken down immediately if necessary.

3.2.6

Where a PRS promotes or is promoted by a non-premium rate electronic communications service, both services will be considered as one where, in the opinion of the PSA, it is reasonable to do so. 

Pricing information (Code Requirement 3.2.1) must be provided before any purchase of a service is made and must be prominent, clear, legible, visible and proximate.

What do we mean by prominent and proximate?

Pricing information should be very easy to locate within a promotion, it should be presented in such a way that it stands out and cannot easily be missed. It should also be displayed close to the phone number, shortcode, button, or other means by which a charge may be triggered.

Pricing information needs to be put where consumers will easily see it. It is likely to be judged as prominent if the information is clearly visible when a consumer makes their purchase and triggers the payment. Both the font size and use of colour are important to establishing pricing prominence (see below for further guidance on fonts and colour).

Proximate can be defined as being next to, or very near, the means of consumer access to a service. The most common example of pricing information being proximate is when it is provided immediately before or above the call to action.

The PSA recommends displaying the price directly above the means of access to the service. For both web and mobile web, if ordering a service entails activating a button (or similar function), the labelling of the button should make the obligation to pay absolutely clear, for instance by using phrases such as "pay now" or "buy now". The wording on the button should be easily legible. A failure to label the button in this way may result in the provider not complying with the law (Regulation 14 (4) of the Consumer Contracts (Information Cancellation and Additional Charges) Regulations 2013. Note that consumers are not bound by orders for services which do not comply with this legal requirement and may be entitled to a full refund.

Pricing information should be:

  • standalone rather than hidden within terms and conditions or a bulk of text

  • above the fold on a web-based promotion, in other words consumers should not have to scroll down a page to see it.

What do we mean by clear, legible and visible?

Pricing information should be clear and easy to understand and not presented in a way that is likely to cause confusion. The price of a service should be expressed in clear conventional and unambiguous terms such as:

  • £1 per minute

  • 50p per minute

  • £6 per call

  • £1.50 per text

  • £3 a week

  • £4.50 a month

Examples of unclear pricing information include:

  • premium rate charges apply x

  • 100ppm x

  • 1.50GBP x

  • 50p/m x

  • £3/wk x

  • £4/mnth x

The actual cost of calling a voice-based phone-paid service to consumers is comprised of the service charge and the phone company’s access charge. This means the overall charge to a consumer for calling a voice-based service can often exceed the charge for the service (service charge) as advertised in monetary value in the service promotion.

Where an access charge applies this should also be clearly and unambiguously stated, for example "plus your phone company’s access charge".

Examples of how pricing information can be worded include:

Cost type

Example wording

Standard per minute phone-paid service

Calls cost £[x]p per minute plus your phone company’s access charge

Standard per minute phone-paid service where the duration is known

Calls cost £[x]p per minute and should last no longer than [x] minutes plus your phone company’s access charge

Per call tariffs

Calls cost £[x]p plus your phone company’s access charge

Per call plus per minute hybrid tariffs

Calls cost £[x]p per call plus £[x]p per minute plus your phone company’s access charge

Premium rate texts

Texts cost £[x] or, £[x] per text – if more than one chargeable text is sent to complete the purchase state the full cost and how many texts will be received, include "plus standard network charge" where applicable

Operator billing

State the cost clearly in "£", if the service is a subscription state the billing frequency for example £[x] per week, include "plus standard network charge" where applicable

Subscription services

State the cost in "£" clearly plus the billing frequency for example £[x] per week; £[x] per month, include “plus standard network charge” where applicable

Charitable donation services

State the cost of donations in “£” clearly for example “text GIVE to 70XXX to donate £5” (include billing frequency if recurring donation), include “standard network charges apply”

Calls to voice shortcodes

State the cost clearly in "£"

 

  Presentation of pricing information

How pricing information is presented is also key. Providers should carefully consider their use of colour and font within marketing material. Pricing information should be presented in a horizontal format and be easily legible in context with the media used. It should be presented in a font size that does not require close examination by a reader with average eyesight. In this context, "close examination" will differ for the medium, for example a static webpage, a fleeting TV promotion, in a print publication, or on a billboard where you may be at a distance or travelling past at speed.

The prominence of pricing information also needs to be considered in comparison to the prominence of the call to action. For example, the appearance and prominence of the call to action should not decrease the prominence of, or detract from, the pricing information.

The use of colour also needs to be considered as this could affect the need for close examination, regardless of font size and/or prominence. There should be sufficient contrast levels between background and text, for example grey text on grey background should not be used and text should not appear on top of busy, patterned backgrounds.

Some combinations of colours used in promotional material reduce the clarity of the information, and make it harder for it to be seen, particularly for people with colour blindness or dyslexia. Providers should take care to ensure that the colour combinations (including black on white) used for the presentation of the price do not adversely affect its clarity. Providers should in general consider the accessibility of their services when designing promotional material.

Informing consumers that charges will be added to their phone account (mobile or otherwise)

Code Requirement 3.2.2(c) requires consumers to be informed that charges will be added to their phone account. In order to meet this Requirement:

  • for online services – a statement that confirms that the charge(s) will be added to the consumers phone account should be included within promotional material, pricing information alone would not be sufficient for these services as consumers are less familiar with operator billing as a charging mechanic

  • for voice-based services and text message-based services – full pricing information should be provided which is prominent, clear, legible, visible and proximate as required by 3.2.1 of the Code (which necessitates inclusion of the reference to the phone company’s/network’s access/standard charge as shown in the examples provided above). This will be sufficient to inform consumers that charges will be added to their phone account.

 

Other information that needs to be provided

Before making a purchase and incurring charges consumers must be provided with all information that would reasonably be likely to influence their decision to purchase (Code Requirement 3.2.2). Besides pricing information, frequency of charges, confirmation that charges are added to the bill, provider details and service name this should include the following:

  • a clear description of what the service is and does, for example:

  • if the service is an ICSS the promotion should clearly explain that the service is a connection service, that it is not associated in any way with the company in which it connects to

  • if the service is a virtual chat service where a consumer has an SMS conversation with a chat operator or a voice-based chat service the promotion should clearly explain that the service is an entertainment service or fantasy service, that it is not peer-to-peer and that users are not able to meet the operators in person

  • if the service is an advice service, the promotion should clearly explain the nature of the advice that will be provided, the source of information in which the advice is based on, and/or what qualifications or training the operator has enabling them to provide the advice.

  • any other key information including a full and clear description of any prizes or awards (where relevant), for example:

  • for an ICSS, the promotion should clearly explain that the company in which the service connects to can be contacted directly for no or lower cost and provide a link to the homepage of the company it connects to, to assist consumers in contacting them directly

  • for competition services, a clear description of the prize on offer would be to include details like product specifications, or if the prize is a holiday when the holiday should be taken and whether travel is included with accommodation. If the prize is money, how the payment will be made, e.g. a cheque or bank transfer.

 

Some services may be promoted via a non-phone-paid electronic communications service (where a consumer has opted into such marketing) for example via non-phone-paid SMS or during a non-phone-paid voice call. Where this is the case, Code Requirement 3.2.6 confirms that that both services will be considered as one where the PSA considers it appropriate to do so. Therefore, providers who intend to promote in this way should make it clear to consumers that the non-phone-paid service involves promotion of a phone-paid service from the outset.

Point of purchase
3.2.7

The point of purchase must be kept separate and distinct from any promotional materials such that consumers are aware, upon reaching the point of purchase, that they have entered a purchasing environment.

3.2.8

At the point of purchase, the merchant provider must ensure that:

  1. the point of purchase is clearly signposted by distinguishing it from other aspects of the service (such as by design and colour scheme);
  2. the consumer is clearly notified that opting to receive the service creates an obligation to pay and the consumer explicitly acknowledges that obligation;
  3. the consumer is made aware of the cost of the service and the frequency of charges (if recurring) in a clear and prominent manner, and such information must be provided directly before the consumer commits to making a purchase; and
  4. the consumer is clearly notified that the PRS charge will be added to the consumer’s phone account and charged on the basis described.

The point of purchase must be separate and distinct from promotional material so that consumers are aware that they are about to make a purchase (Code Requirement 3.2.7 and 3.2.8). This can be achieved in various ways depending on the nature of the service. Here are some examples:

  • for voice calls, the point of purchase would be separate and distinct from the promotion as the consumer is required to make a phone call by either actively entering and dialling a number on a landline phone or mobile handset. If "click to call" functionality is used, this removes the need to enter a phone number, however, the consumer still needs to confirm through their calling app/facility that they wish to make the call. This would be considered a separate function and therefore not part of the web promotion.
  • for SMS-based services, consumers are required to actively send a text to a shortcode through their SMS function. Again, this would be considered a separate and distinct function because the action the consumer needs to take to make the purchase is separate from the promotion even where the text may be pre-populated.
  • for online services, the point of purchase could be a web page that is clearly labelled as a payment page in a way that the consumer will be familiar with from making other types of digital purchases or online shopping. For example, having a separate checkout page that clearly notifies consumers of the obligation to pay, the cost and confirmation  that charges will be added to the phone bill.
Use of service
3.2.9

If a call is recorded or monitored, then this must be stated explicitly and immediately upon connection of the consumer to the service.

3.2.10

Where a voice service connects the consumer to another organisation, the cost of continuing the call, including information about access charges, must be clearly stated before onward connection.

Pricing information before onward connection for voice-based services

Services that offer onward connection are ICSS and directory enquiry services. Code Requirement 3.2.10 specifies that the cost for continuing the call must be provided before onward connection occurs. Here are some examples of how this can be achieved:

  • the vast majority of ICSS connect consumers to other organisations, therefore a recorded alert upon connection to the ICSS should clearly state the cost for continuing the call and being connected for example “this call costs £1.50 per minute plus your phone company’s access charge”
  • for an ICSS that charges the service charge on a per call basis, the message should clearly state “you will continue to be charged your phone company’s access charge for the duration of the call” or similar
  • for directory enquiry services, the cost announcement can happen after the number the consumer is looking for has been provided for example “if you wish to be connected this call will cost £3 per minute plus your phone company’s access charge”. The consumer can then choose whether to be connected or not.
3.2.11

Any messages that the consumer needs to access in order to use or engage with a PRS but which are provided separately from the service itself, must be provided at no additional cost to the consumer.

Receipting - mobile network consumers
3.2.12

The merchant provider must ensure that following a consumer’s initial sign-up to the service, and after each subsequent transaction (where the service is recurring), the consumer promptly receives a receipt, at no additional cost to the consumer.

3.2.13

The receipt must be:

  1. an SMS sent to the consumer’s mobile handset, to the number against which the charge has been applied; or
  2. an email sent to the email address that the consumer has provided as part of the sign-up to the service (where applicable).

In either case, the receipt must be provided in a format which can easily be retained and reviewed by the consumer offline.

3.2.14

The receipt must set out:

  1. the name of the service as registered with the PSA;
  2. the name and contact details of the intermediary provider or merchant provider responsible for customer care and complaints;
  3. details of the amount that has been charged;
  4. if the consumer has signed up to a subscription service, details of the frequency of charging, or if there is no defined billing period the basis upon which the frequency of charging is established; and
  5. clear instructions on how to exit the service.

Receipts must be sent to consumers following initial sign-up to a service and after each subsequent transaction where the service is recurring. The Code Requirements (3.2.13 and 3.2.14) set out clearly the form receipts can take and what details must be included. It will be  possible for a premium SMS (PSMS) confirmation or service message to act as the receipt where it is capable of doing so by containing all the information listed in Code Requirement 3.2.14.

3.2.15

The requirements set out at paragraphs 3.2.12–3.2.14 above do not apply to voice services.

Method of exit
3.2.16
There must be simple methods of permanent exit from the PRS. These must include (without limitation) the same method used by a consumer to sign up to or access the service, except where it is not technically possible to use that same method as a method of exit or the consumer sign up to or access to the service required the use of multi-factor authentication in accordance with paragraph 3.3.7 below. 
3.2.17

All methods of exit must enable a consumer to leave the PRS immediately. There must be no further charges to the consumer after exit, except where those charges have been legitimately incurred prior to exit.

There may be many ways for a consumer to exit a service – these include terminating a phone call by replacing a receiver, selecting a relevant on-screen button, sending an SMS instruction,  closing a webpage or uninstalling a mobile application. Whatever method is used, it must be simple to perform and include the method used by the customer to sign up to or access the service unless it is not technically possible to do so, or if the sign-up and access method involves multi-factor authentication (MFA) as this would not constitute a simple method of exit. For example, sending an SMS to a shortcode or logging into an online account and requesting to cancel through that account in a way that the consumer may be familiar with through other digital services and is similar to how the phone-paid service is used.

The "STOP" command may be the most common, familiar and easily implemented system for consumers to exit a mobile-based service. This command should be recognised by the provider through both the capitals variation of "STOP" and the lowercase variation of "STOP", and any combination thereof. We would always expect the consumer to be able to text "STOP" to the same shortcode from which they are being billed or receiving receipts from for ease.

Where a consumer has legitimately tried to cancel a service and failed (either because they have mis-typed "STOP", or because they have sent in another variation such as "please stop", "stop texting me"), then once this becomes clear to the provider, consumers should be retrospectively refunded for any charges subsequent to their first clear attempt to opt out, and  immediately removed from the service.

Where a consumer is subscribed to more than one service on a single shortcode, the following  actions would be acceptable, where the consumer sends a single “STOP” command:

  • to unsubscribe the consumer from all services they are subscribed to on that shortcode
  • to send the consumer a text which clearly states that they are subscribed to multiple services and informs them that they have been unsubscribed from the last service they opted into, and that they can unsubscribe from all services by replying with the words “STOP ALL”.

As soon as the consumer replies with “STOP ALL”, they should be unsubscribed from all services on that shortcode.

Where we discover that separate shortcodes for requesting a service and opting out from it are being used, then consideration will be given to a provider’s motive or reasons for doing so.  Any actions which are likely to confuse consumers may potentially fail to meet both Transparency and Fairness Requirements.

For app-based services involving phone-paid billing options, the STOP command may not be the most appropriate means of exit. Any app using phone-paid billing (whether as the sole payment option or one of a number of payment options) should have a clear and unambiguous method of stopping any phone-paid payment, and a clear and simple method of removing the application from the device, if desired by the user. This information should be clearly detailed within the app, and must be easily accessible, simple to understand and to implement.

For recurring donation services where the SKIP command is available to users, the STOP command must also be available and effective when used.

Other transparency Requirements
3.2.18

Additional transparency Requirements in relation to services that require age verification are set out at paragraphs 3.5.8–3.5.11 below.

Standard

Consumers must be treated fairly throughout their experience of PRS, including by being charged for PRS only where they have provided informed and explicit consent to such charges.

The Fairness Standard aims to ensure that consumers are not misled into using phone-paid services. It recognises the importance of ensuring that consumers are treated fairly and equitably throughout their experience of phone-paid services (including during service promotion, point of purchase and when providing consent to charges) and have confidence that this is the case.

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid service providers (network operators, intermediary providers and merchant providers) can comply with the Fairness Standard and Requirements. The guidance provides more detail on:

  • treating consumers fairly
    • by not using misleading marketing
    • by providing services without undue delay.
  • excessive use
  • point of purchase
    • multi-factor authentication
    • consent to charge.

If you have any queries about the guidance set out in the guidance or want to discuss your approach to compliance with the Fairness Standard, please email us at compliance@psauthority.org.uk.

Requirements
Treating consumers fairly
3.3.1

PRS providers must treat all consumers of PRS fairly and equitably.

3.3.2

PRS providers and their services must not mislead or be likely to mislead consumers in any way.

Providers should ensure that their services are marketed to consumers fairly to prevent them from being misled, or potentially misled in any way (Code Requirement 3.3.2).

Promotional material should always accurately describe and represent the service on offer. Only factual statements should be made about services. It is also important that promotions do  not omit, or make insufficiently clear or prominent, information that is likely to affect a consumer’s decision to purchase a service. For example:


  • promotional material for a competition service should make it clear that winning is not a certainty and the chances of winning should not be exaggerated
  • promotional material for a virtual chat or live entertainment service should make it clear that meeting or dating in person is not possible (where the service is not peer-to- peer dating)
  • a false sense of urgency should not be created, for example through use of countdown clocks
  • promotional material should make it clear whether a service is free of charge or not. For example, the word free should not be used in the name or branding if the service is not free.

Examples of non-misleading statements might include:

  • “enter for a chance to win £1000 in cash”
  • “fantasy chat line for entertainment purposes only”
  • “connection service operated by [xx] connecting you to PSA”
  • “offer ends at midnight on [include date]

Examples of misleading statements might include:

  • “you’ve won £1000” x
  • “hook-up with local people in your area now” x
  • “click to call PSA customer services now” x
  • “hurry time is running out!! 30 seconds left” x
3.3.3

PRS providers must not use any marketing technique, language or imagery which misleads or has potential to mislead the consumer into believing the service on offer is associated with or provided by another PRS provider or any other public or commercial organisation when it is not.

The Code requires providers to not use any marketing technique, language or imagery which misleads or has potential to mislead the consumer into believing the service on offer is associated with or provided by another phone-paid provider or any other public or commercial organisation when it is not (Code Requirement 3.3.3). This requirement applies to all providers regardless of the services being offered, however, it is particularly significant for providers of ICSS. For example:

  • promotional material for services which connect consumers to other organisations (ICSS or directory enquiry services) should:
    • ensure any search engine marketing is clear that the service is a connection or directory enquiry service and not use key words or optimisation techniques that may mislead consumers into believing the service is associated with the organisation or organisations to which the service connects
    • make the true nature of the service abundantly clear and clearly and prominently state who is providing the service (see Transparency Requirement 3.2.3)
    • not use potentially misleading URLs for example by including the name of the organisation or organisations being connected to within the domain name
    • only use logos and imagery associated with the merchant provider and the service and not use logos or imagery associated with the organisation or organisations to which the service connects.
  • promotional material for competition services which may be offering prizes such as electronic gadgets or shopping vouchers should:
    • use the merchants/services own branding and not the branding of the manufacturer or shop that a voucher is for
    • not imply that the competition is affiliated with a certain manufacturer or shop where it is not factually the case.

Using third-party marketing providers

Merchant providers are responsible under the Code for the marketing of their services, including where they choose to use third party marketing partners.

Use of marketing partners can increase the risk of consumers seeing misleading promotions. This can be because there are often multiple parties involved in the process which can make it more difficult for the merchant to have control over the marketing practices that partners may employ. We recommend merchants have quality control processes in place (such as final editorial sign-off or contract clauses) to ensure any potentially misleading promotions are not published.

Merchant providers need to ensure in all circumstances, including where they are using third- party partners, that promotional material accurately describes the service being offered.

Merchant providers will need to ensure when they use third-party marketing partners that ultimate control over promotional material rests with the merchant. They need to be able to ensure that material that does not meet the requirements of the Code is not published or may be taken down immediately if necessary.

3.3.4

PRS must be provided without undue delay after the consumer has done what is necessary to connect with the service. Once the consumer has been connected to the service, the service must not be unreasonably prolonged.

Once a consumer has chosen to engage with any type of phone-paid service, the service should either offer prompt engagement with the service itself, or the service content purchased should be promptly delivered (Code Requirement 3.3.4).

Factors that constitute undue delay include:

  • queuing systems – a voice-based service that employs any variation of a queuing system that prevents (either deliberately, or otherwise) a consumer from immediately engaging with that service
  • long introductory messages - for voice-based services we recommend introductory messages do not exceed 30 seconds in length.

Any pre-recorded services should not be designed to keep the consumer on the line and unreasonably prolonged, to avoid this:

  • keep instructions as simple as possible
  • keep menu facilities short and concise
  • keep sentences short and avoid long pauses
  • avoid promoting other services within intro messages.

If there is an expected delay in service delivery such as delivery of an e-ticket, then consumers should be clearly informed within promotional material and receipts when they will receive what they have purchased.

3.3.5

Merchant providers must take reasonable and prompt steps to identify excessive use of their service or services by any consumer and to inform the relevant consumer of that usage.

By “excessive use” we mean any potential incident(s) of high or sustained repetitive usage in excess of the range of usual behaviour or normal use. What constitutes excessive use can vary depending on the context and the characteristics of the service in question. Excessive use is often closely linked to, or results in, significant consumer spend, which could occur over a short period of time (e.g. one weekend) or over a longer sustained period (e.g. a number of years). Excessive use of phone-paid services can lead to "bill shock" and might also result in significant distress for the user; financial detriment; possible dissatisfaction with phone-paid services and subsequent reputational damage to the industry. Excessive use or spend could also potentially be linked to a consumer’s vulnerability (see Vulnerable consumer Standard guidance for further information).

 

  Identifying excessive use

Indicators of excessive use of phone-paid services may include:

  • higher than average spend
  • higher than average use
  • a noticeable, irregular incident, e.g. multiple identical purchases or unusually high spend or use in a short period of time or in short bursts.

Merchant providers need to understand what typical use of their services looks like, so that they can spot any irregular activity. It is recommended that providers monitor average user engagement across a defined period or billing cycle. Once the average spend/use levels are established, the PSA suggests that any use/ spend which is over 100% higher than that average may be considered potentially excessive.

The PSA recommends using the modal average to calculate average user spend. The mode is the value that appears most often in a set of data. Using the modal average highlights the most common average usage, not taking account of extreme usage. There may be cases where the mode is not the most suitable method of establishing average consumer spend, e.g. services with a high volume of unique users but a relatively low level of average engagements per user. In these cases, we would suggest that providers contact the PSA to discuss alternatives.

The level at which excessive use is determined will often be informed by what is appropriate to the service context and/or any incremental service charge or the average cost incurred by a consumer.

 

Taking the service type into account

What may constitute excessive or problematic levels of service use can vary depending on the service type and context in which the service operates. The following examples may assist providers to establish consumer spend levels that are appropriate to the context and service type:

  • competition services and other games with prizes are likely to have different average user interaction and experience. The context in which this category of service operates will have a defined period of operation and may potentially have a greater risk of consumer detriment, or examples of problematic patterns of usage.
  • remote gambling services are highly likely to attract consumers who may be at risk of using services excessively. Usage level or spend which is less than 100% higher than average could be considered excessive in this context.
  • significant and unforeseen spikes in service usage could also be seen in virtual chat services or gaming/in-app purchase(s) where a user sends repetitive and/or other message requests persistently and within a short space of time.
  • live interactive broadcast phone-paid services can involve significant spikes in traffic / service use at critical times within or around broadcasts. Where the average user might only vote once or twice, it is unlikely that a usage level or spend which is 100% higher than this average would be considered excessive in this context. In this example, the merchant provider may have alternatives, higher levels of user interaction thresholds which may constitute excessive use – this will likely be determined using data held by the provider.

Informing consumers

Where potential excessive use is identified, providers should take reasonable and prompt steps to make users aware of that usage. For the avoidance of doubt, the issuing of receipts alone, as required by Code Requirement 3.2.12, while helpful as a prompt, is not sufficient to meet this Requirement. The PSA recommends:

  • this can be done through methods of communication appropriate to the means of access to the phone-paid service
  • this should be done as soon as possible after the event that led to the communication and in any event as soon as reasonably possible and no later than five days after the event has been identified
  • that if the consumer fails to respond promptly to communications from the provider the provider of the phone-paid service should not continue to bill the user or offer access to the service until the user has acknowledged their usage and associated spend level to the provider directly. The purpose of this recommendation is to mitigate against any financial harm resulting from the excessive use.
  • the PSA would suggest that such a response can be obtained via phone call, SMS, email, or acknowledgement through an active field within the service/website, etc. A record of any acknowledgement should be kept by the provider in a secure and tamper proof environment (for the relevant period set out in the data retention notice) in order that it can respond effectively to any potential investigation in due course. It may be appropriate for such records to be recorded and maintained by an independent third-party.

Where a consumer appears to have been using a phone-paid service excessively, but it is established through successful communication with the consumer that they are aware of the associated charges, in control of their usage, and satisfied with the service, then no further action is required. Evidence of the communication should be collected and stored for a reasonable period.

Some regular service users may frequently use and spend in excess of an established average and may not view this as excessive or potentially problematic. It may be useful to maintain a separate list of such recognised high-use individuals, albeit with a degree of observation of their spend and usage levels if appropriate.

Some users, having been contacted by a provider of a service may not have been fully aware of the costs associated with the service, or there may be examples of unauthorised use. The PSA expects that the provider will endeavour to resolve the issue promptly, easily and fairly with the consumer directly, in line with the Customer care Standard and Requirements (see Customer care guidance for further information).

Point of purchase
3.3.6

Consumers must not be charged for PRS without their informed and explicit consent. Merchant providers must be able to provide evidence, where required by the PSA, which establishes that consent.

In Code Requirement 3.3.6, informed consent means that the consumer has all the key information they need to decide whether to make a purchase or not (see also Transparency Requirement 3.2.2). Explicit consent means that the consumer takes positive action to agree to a charge.

The PSA would generally regard the consumer’s consent as being informed if it can be demonstrated via genuine, easily auditable records, that a consumer has seen all the key information that is likely to influence their decision to purchase the service. Providers should be able to demonstrate that such records show genuine consumer consent and have not been tampered with in any way since they were created. The provider should be able to provide the PSA with raw opt-in data (access to records, rather than Excel sheets of records which have been transcribed) and real-time access to this opt-in data on request. This may take the form of giving the PSA password-protected access to a system of opt-in records.

3.3.7

Multi-factor authentication must be used by merchant providers to establish and demonstrate informed and explicit consumer consent to charges in the following circumstances:

  1. where the service is accessed fully or in part via an online gateway;
  2. where the service is a subscription service, including services involving a recurring donation;
  3. where the service is a Society Lottery Service.
Multi-factor authentication stage one Requirements
3.3.8

In any of the circumstances described at paragraph 3.3.7 above, merchant providers must ensure that the first stage of obtaining consumer consent to any charge, is carried out via one of the following methods of consumer interaction:

  1. use of a password-controlled account, in respect of which the password is selected and controlled by the consumer. The account information fields must not auto-populate or self-generate and must require the consumer to enter at least two of the following details:
    1. their email address as verified by the merchant provider;
    2. a username that they have selected and control;
    3. their name; and/or
    4. a password that they have selected and control.
  2. use of a secure PIN loop system, which must be initiated and confirmed by the intermediary provider through interaction with the consumer. The secure PIN must:
    1. comprise no less than four truly random integers;
    2. be entered by the consumer (and must not auto-populate or self-generate);
    3. expire if, after three attempts, the consumer has not entered the PIN correctly; and
    4. expire within 15 minutes of the PIN being received to the consumer's handset.
  3. use of a secure on-screen PIN which must be initiated and controlled by the intermediary provider or network operator. The secure on-screen PIN must:
    1. not be displayed in a form that is easily readable by a client machine (for example, it should be presented as an image rather than in HTML text);
    2. comprise no less than four truly random integers;
    3. be entered by the consumer (and must not auto-populate or self-generate); and
    4. expire if, after three attempts, the consumer has not entered the PIN correctly.
  4. use of a secure, consumer-controlled mobile originating short message service (MO SMS) system by means of which consumers are required to notify their mobile network operator and intermediary provider(s) of their consent to any charges;
  5. for recurring donation services only, through a phone-call between a person acting on behalf of the charity and a consumer, in which audible consent to the relevant recurring charge is obtained from the consumer. The telephone conversation must be recorded in full; or
  6. for recurring donation services only, through face-to-face engagement with a consumer as part of which the consumer is required to enter at least two details into a secure online environment for the purpose of providing consent to the relevant recurring charge, such as:
    1. their email address as verified by the merchant provider;
    2. their mobile phone number; and/or
    3. their name.

For services accessed fully or in part via an online gateway, subscriptions (including recurring donations) and society lottery services the Code requires multi-factor authentication to be used to establish and demonstrate informed and explicit consent (paragraphs 3.3.7 and 3.3.8).

The Code sets out clearly that stage one of multi-factor authentication can be achieved by one of the following:

  • consumer selected password-controlled account 
  • secure PIN loop system which is initiated and confirmed by the intermediary provider
    • on-screen PIN which is initiated and controlled by the intermediary provider or network operator
    • consumer-controlled mobile originating short message service (MO SMS) – the consumer sends an SMS with a keyword to a shortcode
    • for recurring donations, a phone call between a person acting on behalf of a charity and a consumer or through face-to-face engagement with a consumer as part of which the consumer is required to enter at least two details into a secure online environment.

Where stage one multi-factor authentication is achieved through consumer selected password-controlled account (Code paragraph 3.3.8(a)), it would be acceptable to use existing  third-party verified accounts via an electronic identification protocol, such as Facebook or Google sign-in buttons, within the purchasing environment. The webpage enabling use of the verified account must be hosted by the intermediary provider or network operator.

Where stage one multi-factor authentication is achieved through a secure PIN loop system (Code paragraph 3.3.8(b)), the function may be undertaken by an independent third party on behalf of the intermediary provider. Where a network operator contracts directly with a merchant provider, the function may be undertaken by the network operator.

Multi-factor authentication stage two Requirements
3.3.9

In addition to the first stage Requirement set out at paragraph 3.3.8 above, merchant providers must carry out the second stage of obtaining consumer consent via one of the following means of consumer interaction:

  1. use of a confirmation button to confirm the purchase;
  2. use of biometric technology, such as fingerprint or facial recognition; or
  3. use of a secure, consumer-controlled MO SMS system by means of which consumers are required to notify their mobile network operator and intermediary provider(s) of their consent to any charges.
3.3.10

For recurring donation services only, where the consumer has donated on a one-off basis and through a confirmation message is provided with the opportunity to convert their one-off donation to a recurring donation, the message must specifically seek the consumer’s consent to the recurring charge. Such consent must be given by way of an MO SMS as set out in paragraph 3.3.9(c) above.

3.3.11

Where a recurring donation service enables donors to skip a monthly payment: 

  1.  the instruction command SKIP must be required to be used by donors to suspend payment of their monthly donation; and
  2. a monthly reminder containing the SKIP instruction at paragraph 3.3.11(a) above must be sent 24 hours prior to when the consumer is due to be charged.
3.3.12

For subscription services, except recurring donation services, the following Requirements as relevant will apply:

  1.  where a consumer enters into a subscription service that lasts for a defined period (‘term-based subscription’) a reminder must be sent to the consumer at least seven days, and no more than 30 days, before the end of the subscription period. The reminder must state what service or product the consumer has subscribed to and state that the subscription will renew automatically unless the consumer opts out before the end of the subscription period. 
  2. where a consumer enters into a subscription service that continues for an indefinite period a reminder must be sent to the consumer within the 14 days preceding each anniversary of the date the consumer entered into the subscription service. The reminder must state what service or product the consumer has subscribed to and state that the subscription will continue until such point the consumer opts out. 
3.3.13
Where a network operator or intermediary provider contracts with a third party to undertake verification of consumer consent to charges as part of their compliance with the provisions above requiring the establishment of such consent, the third party must be independent of the merchant provider.
Evidence of consumer consent to charges
3.3.14

In order to demonstrate consumer consent to charges for a PRS provided fully or partly through an online gateway, the intermediary provider and merchant provider must retain records in compliance with any relevant time periods specified in the data retention notice under paragraph 6.2.20 below. In particular, such records must always clearly set out: 

  1. the dates, times and web addresses that relate to the purchase;
  2. details of the consumer’s device and mobile network;
  3. evidence of at least two positive, recorded and auditable responses from the consumer; and
  4. the information displayed to the consumer immediately prior to initiating the purchase

Calls to voice-based services

3.3.15

For any calls to voice-based services, intermediary providers and merchant providers must retain records which clearly set out:

  1. the phone number from which the consumer has called (where the consumer’s phone number has not been withheld);
  2. the phone number that the consumer has called; and
  3. the date and time of the phone call.
3.3.16

For phone calls to voice shortcodes, the originating network operator’s record of the consumer’s initiation of the call will be sufficient evidence of consent.

Text message-based services

3.3.17

Intermediary providers and merchant providers must retain records which clearly set out:

  1. the date and time that the consumer sent the relevant text message;
  2. the consumer’s mobile phone number;
  3. the mobile shortcode to which the text was sent;
  4. the date and time when that text was received to the shortcode; and
  5. any messages sent to the consumer in reply.

Standard

Consumers must receive excellent and timely customer care including the resolution of their complaints.

This Standard aims to ensure that consumers have a good experience in their dealings with providers of phone-paid services. Providers should offer excellent customer care and when things go wrong, complaints should be resolved promptly and effectively. Consumers should  have a positive experience of seeking and obtaining a refund.

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid service providers (network operators, intermediary providers and merchant providers) can comply with the Customer care Standard and Requirements. This guidance provides more detail on:

  • the roles and responsibilities of different parts of the value chain 
  • developing complaint policies and procedures 
  • refunds 
  • what constitutes expending undue time, effort and money.
  • what the PSA’s expectations are in relation to
    • resolving complaints promptly/easily/fairly
    • customer care facilities
    • using all reasonable efforts.

If you have any queries about the guidance set or want to discuss your approach to compliance with the Customer care Standard, please email us at compliance@psauthority.org.uk.

Roles and responsibilities

Different parties will have different roles and responsibilities based on where they sit in the value chain, the Code clearly highlights which Requirements relate to which providers.

Merchant providers have primary responsibility for customer care as they have the direct relationship in terms of providing their services to their customers. Where a consumer has a customer care query or complaint, we would expect the merchant provider to be their first port of call.

Merchant providers may choose to contract out their customer care facilities to another provider in the value chain. Where this is the case, the merchant retains the responsibility for meeting the Customer care Standard and Requirements. This is acceptable practice providing all the requirements of the Customer care Standard are followed and the appropriate customer care details are clearly communicated to consumers (see Transparency Standard Requirement 3.2.2).

If consumers contact a provider in the phone-paid service value chain for a particular service that is not responsible for handling customer care for that service, (an intermediary or a network operator for example) those consumers should be dealt with courteously and be promptly sign-posted to the merchant or relevant provider (Code paragraph 3.4.9).

Requirements
3.4.1

Intermediary providers and merchant providers must ensure that consumer enquiries and complaints that they have primary responsibility for handling are responded to and resolved promptly, easily and fairly, at no more than basic rate cost to the consumer. Where an intermediary provider or merchant provider does not have primary responsibility it must promptly refer complaints it receives to the PRS provider that has primary responsibility. For the purposes of this paragraph and paragraphs 3.4.4 and 3.4.5 below, where there are no arrangements between PRS providers in the value chain as to who has primary responsibility, such responsibility will fall on the merchant provider.

 

This Requirement (Code paragraph 3.4.1) focuses on responding and resolving consumer enquiries and complaints promptly, easily and fairly, and at no more than basic rate cost to the  consumer. This means consumers should have access to both information and a process by which issues can be identified, shared, and considered. For the avoidance of any doubt, “basic rate” means costing no more than the charge for calling a UK geographic number.

The PSA expects that:

  • providers’ complaints handling processes should be easily accessible and should be clearly signposted to consumers on request
  • consumers should have to make as few calls/contacts as possible in order to find and receive redress
  • providers should be courteous and respectful to consumers at all times 
  • consumers should be kept informed as to the status of their complaint throughout the complaint handling process
  • providers should make every reasonable effort to resolve a consumer’s complaint to the consumer’s satisfaction.

Whether or not a consumer contact is an enquiry or a complaint (defined in Code paragraph D.2.17) is determined by the consumer. If a consumer makes an expression of dissatisfaction, this should be considered as a complaint.

Complaint handling is not just about gathering information from a complainant, but being able to resolve matters fully and to provide a proper form of redress, where appropriate.

Providers should acknowledge the consumer’s contact as soon as possible. For example, if customer care is provided via email, an automatic acknowledgment which confirms receipt and advises how long the consumer can expect to wait to receive a response (whether initial or full) should be sent. The response (initial or full) should be sent within five working days (Code Requirement 3.4.4).

3.4.2

Intermediary providers and merchant providers’ customer care facilities must be available to consumers as a minimum during the normal business hours of 9am to 5pm, Monday to Friday (excluding public holidays).

3.4.3

Intermediary providers and merchant providers must keep consumers informed about the status of any complaint and/or associated refund request.

3.4.4

The PRS provider in the value chain with primary responsibility for customer care, whether this is the network operator, intermediary provider or merchant provider, must respond to consumers who contact them promptly and in any event within five working days.

Customer care facilities are the methods of contact in which customer care is provided and can be via a helpline phone number, email, web form or web chat. The provider’s chosen methods of contact must be accessible to consumers between normal business hours of 9am-5pm Monday to Friday (Code Requirement 3.4.2).

If a phone line is used for customer care, then calls should be answered within the advertised availability hours as this is what consumers expect. If a voicemail facility is provided, then consumers calling should be advised what details to provide and how long they should expect  to wait to receive a reply – again this should be no longer than five working days (Code Requirement 3.4.4).

If a web chat function is used, it would be appropriate to respond as soon as possible as consumers may naturally expect almost immediate replies from such chat facilities. If there is a wait time or queue, then consumers should be advised of this.

Where web forms are used, we would recommend advising consumers when they can expect to receive a reply either within the form or at the point of submitting a completed form, again this should be no longer than five working days.

Customer care should be provided via the methods advertised, and these contact methods/details should be easy to find and access within promotional and service material. We  recommend that more than one method of contact is available in order to be accessible.

Consumers should have to make as few contacts as possible to get the help they need, and their issues resolved. Ultimately, consumers will contact the easiest person to find by the most  convenient means available to them. This will be based on:

  • their knowledge of the service 
  • information given to them during their previous use and engagement with it, and
  • their ability to locate additional information where necessary.

It is vital that customer care contact details are easy to find to prevent consumers from contacting the wrong people and having to make multiple contacts (also see Transparency Requirement 3.2.2).

To manage consumer expectations, the PSA would expect a provider’s initial response to a consumer to include:

  • details of the customer care process the provider will follow to answer enquiries and investigate complaints
  • the timeframes it will follow to answer enquiries and investigate complaints.
3.4.5

The PRS provider in the value chain with primary responsibility for customer care, whether this is the network operator, intermediary provider or merchant provider, must use all reasonable efforts to resolve all PRS related issues raised by a consumer promptly and in any event within 30 working days of the initial consumer contact.

Providers should do all that can be done to resolve any issues raised by a consumer by continuing to promptly take, active steps to resolve the complaint to the consumer’s satisfaction until the complaint has been resolved or otherwise closed. This should include  being able to explain to a consumer what has happened in their particular case, which may involve being able to provide data and information and also being prepared and able to refund the consumer promptly where agreed.

Resolution should be reached promptly and in any event within 30 working days of the consumer’s initial contact to the merchant or provider with primary responsibility for handling customer care. This time frame begins at the point the consumer has contacted the merchant or other provider with primary responsibility for handing customer care. If a consumer is slow to respond to any requests made by the provider to assist in resolving enquiries or complaints or does not respond at all, the merchant is not likely to be accountable for missing the resolution timeframe providing they can demonstrate that reasonable efforts have been made.

Resolution can be reached in various ways, for example:

  • the consumer understands and is satisfied with the explanation relating to their enquiry or complaint and no further redress or action is requested or required
  • the consumer is offered redress and is satisfied so no further action is required 
  • the consumer is not satisfied with the explanation or redress but has been clearly signposted to the PSA and the PSA’s role has been explained
  • the consumer is not happy with the explanation or redress but has been offered Alternative Dispute Resolution (ADR) where the provider is signed up to an ADR provider.
3.4.6

Intermediary providers and merchant providers must retain, and make available to consumers upon request, all information that is necessary to assist consumers fully in the resolution of their enquiries and complaints.

3.4.7

Intermediary providers and merchant providers must inform consumers who are dissatisfied with the customer care they receive or with the handling of their enquiry or complaint that they may complain to the PSA, and must provide the consumer with the PSA’s contact details accordingly.

3.4.8

Intermediary providers and merchant providers must, upon request, provide the PSA with all information that allows examination of how they have handled any customer care or consumer enquiry or complaint.

3.4.9

Network operators and intermediary providers that interact with consumers in relation to a PRS must provide clear information to them about how to contact the merchant provider, including the merchant provider’s:

  1. name as registered with the PSA and details of the service the consumer has been charged for where such details can be reasonably obtained; and 
  2. contact details and hours of operation (including customer care details and website).
3.4.10

Intermediary providers and merchant providers must have clear and publicly available customer care, complaints handling and refund policies in place.

When developing customer care, complaint and refunds policies (Code Requirement 3.4.10),  intermediary and merchants should consider including:

  • their (merchants) contact details - all available methods of contact
  • what information is required from consumers for the merchant to be able to handle their enquiry
  • associated timeframes for responses and expected timeframes for resolution
  • how to escalate enquiries to complaints 
  • what information is needed to raise a complaint
  • how refunds will be provided/methods of refund available
  • in what circumstances consumers will be eligible for refunds, for example on a "no quibble" basis
  • if the information needed to begin a claim for a refund is known, the process should be designed to gather such information at the first feasible opportunity
  • details of ADR if the merchant provider is signed up to one
  • how to complain to the PSA.

  When developing processes, providers should consider:

  • how the data is gathered and stored
  • how issues are reviewed or assessed
  • how the matter is escalated (where necessary)
  • how the process can operate in such a way that gives the complainant confidence that their complaint is being properly considered and dealt with in a timely manner.

Customer care, complaint and refunds policies should be reviewed regularly and should evolve  based on experience of how they work in practice. Merchants should update their policies where any issues are identified. Where any process has multiple steps, and some of those are unreasonable, it is likely to be considered an ineffective process which is not easy or fair.


3.4.11

In handling consumer complaints, PRS providers must consider the particular needs of consumers who are or may be vulnerable and may be likely to suffer harm or detriment as a result. PRS providers must have regard to the Standard outlined at paragraph 3.5 below which also applies in the context of consumer complaints.

Refunds
3.4.12

Where refunds are provided to consumers, they must be provided promptly and using a method that is easily accessible for each consumer.

 

We believe presenting consumers with choice in how they would like to be refunded will improve the consumer experience overall and is most likely to constitute an “easily accessible”  method (Code Requirement 3.4.12) as the consumer will be able to pick the option that is preferred by, and most easily accessible to them.

The following methods of refunding consumers are regularly used in the market:

  • back to bill or credit on account – requires providers to reverse or cancel a transaction or apply a credit to the consumer’s phone bill or account
  • bank transfer – requires the consumer to provide their bank details to the provider
  • PayPal payment – requires the consumer to provide their PayPal email address or other details to the provider
  • SMS collection code – requires the consumer to present a refund collection code at a Post Office counter to receive a cash refund
  • cheque – requires the consumer to cash the cheque with their bank or building society.

Merchant providers (or intermediary providers where they are providing refunds instead or on  behalf of merchants) may offer their preferred method of refunding to consumers as the primary refund option. However, other methods should also be made available where the provider’s preferred choice is not accessible to a consumer. For example, if the provider’s preferred method of refund is to send the consumer a cheque, but the consumer does not have a bank account or is unable to cash a cheque with their bank easily, this would not be considered easily accessible to the consumer.

The amount of the refund due to the consumer can have an influence on their preferred method of receiving the payment.

For smaller amounts, in most cases we consider that refunding back to a consumer’s phone bill or phone account would be the quickest and most easily accessible method. However, we recognise that for certain types of phone-paid transactions, this is not always the easiest or quickest method for the provider and in some cases not possible. In addition, some consumers would in any case prefer to receive a refund by some other method – for example to a bank account.

For larger amounts, consumers may be more likely to want to receive a refund in a way that  allows them to access the funds for purposes other than the payment of phone bills. In this case, one of the other methods of making refund payments mentioned above is likely to be more appropriate and accessible.

In all cases, what is most important is that the consumer agrees to the method of payment and is given a clear understanding of how much is to be refunded and when they can expect to receive the refund.

3.4.13

Merchant providers (or intermediary providers where they are providing refunds instead or on behalf of merchant providers) must ensure that a decision as to whether or not a consumer is owed a refund is made promptly. The basis for the decision must be clearly communicated to the consumer.

3.4.14

Merchant providers (and intermediary providers where relevant) must ensure that, once agreed, all refunds are processed within 14 working days.

3.4.15

Where a refund is due, the merchant provider must take responsibility for providing it in the first instance. Where the merchant provider is unable to meet all refund requests it may enter into arrangements with an intermediary provider or network operator to provide refunds instead or on its behalf. Where this is the case the intermediary provider or network operator must provide the refunds promptly and using a method that is easily accessible for each consumer.

3.4.16

Merchant providers must ensure that consumers who pursue a complaint and/or seek a refund are not required to expend undue time, effort or money in doing so.

Merchant providers should ensure that consumers are able to have their issues resolved without having to spend time making multiple contacts (Code Requirement 3.4.16). Being clear on what information is needed to raise a complaint and request a refund from the outset and providing consumers with updates on the status of their complaint and refund request should prevent undue time and effort being spent by consumers.

Consumers should not incur any additional charges in pursuing a complaint and/or refund.  Customer care facilities should be free of charge (no more than basic rate if a phoneline is used) and consumers should not be expected to pay any fees to seek and obtain a refund.

Standard

Services must be promoted and provided in a way that ensures they are not likely to cause harm or detriment to consumers who are or may be vulnerable as a result of their particular circumstances, characteristics or needs.

Requirements
3.5.1

Intermediary providers and merchant providers must nominate a person or persons within their organisation that will have overall responsibility for ensuring that the organisation, and the PRS that it promotes and provides, takes account of the needs of vulnerable consumers.

3.5.2

Intermediary providers and merchant providers must, on request, provide the PSA with copies of their written policies and procedures concerning vulnerable consumers. Such policies and procedures must include the identification of risks to such consumers and the controls in place to mitigate those risks, as well as procedures to ensure the fair and proper treatment of such consumers. The policies and procedures must also set out clearly the mechanism for internal approval and review, as well as ongoing monitoring of their effectiveness.  Intermediary providers and merchant providers must be able to demonstrate to the satisfaction of the PSA how these policies and procedures are being used effectively in the promotion and delivery of PRS.

3.5.3

Network operators, intermediary providers and merchant providers must have regard to paragraph 3.4.11 above on complaints handling. In doing so, they must ensure that their policies and procedures are robust and take account of the needs of all consumers, including those who are or may be vulnerable.

3.5.4

Merchant providers must ensure that appropriate age verification measures are in place if so required under paragraph 3.5.8 below.

Provisions that apply specifically to children
3.5.5

Where a service is aimed at or likely to appeal to children, any promotion associated with that service must state that the bill-payer’s permission is required and also state any age requirements for use of the service.

3.5.6

Services that are aimed at or are likely to appeal to children must not offer cash prizes or prizes that can be easily converted to cash.

3.5.7

PRS must not take advantage of children’s potential credulity, lack of experience or sense of loyalty.

Age verification requirements
3.5.8

The following age verification requirements will apply to Adult Services, Remote Gambling Services, Consumer Credit Services, Sexual Entertainment Services and Live Entertainment Services.

3.5.9

As part of the promotion of the service and at the beginning of the consumer’s interaction with the service before any charges are incurred, it must be made clear that:

  1. the service must not be used by anyone under the age of 18 years;
  2. the consumer must be the bill-payer or have the permission of the bill-payer in order to use the service; and
  3. service details may appear on the bill.
3.5.10

Services that require age verification must not be:

  1. accessible from within other services that do not require age verification; or
  2. promoted within promotional material for other services that do not require age verification.
3.5.11

Where it is discovered that a consumer using a service that requires age verification is below the required age, any charges incurred must be refunded and the consumer must be blocked from using the service.

The Vulnerable consumers Standard aims to ensure that measures are adopted for consumers  who, due to their particular circumstances, characteristics or needs are or may be vulnerable, to ensure that they are protected from harm as far as is reasonably possible and do not suffer detriment as a result. It is important that providers consider the particular needs of vulnerable consumers, in service provision and promotion, as well as customer care (including complaints handling).

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid service providers (network operators, intermediary providers and merchant providers) can comply with the Vulnerable consumers Standard and Requirements. To support compliance with the Vulnerable consumers Standard, this guidance provides more detail on the following aspects of this Standard:

  • what we mean by vulnerable consumers
  • developing policies and procedures for vulnerable consumers
  • using and monitoring policies and procedures.

If you have any queries about the guidance or want to discuss your approach to compliance with the Vulnerable consumers Standard, please email us at compliance@psauthority.org.uk.

What do we mean by vulnerable consumers?

Consumers can be vulnerable for a variety of reasons. We recognise that organisations use a range of different terminology and some people might not like to be labelled as a vulnerable customer. However, the term is well-recognised across a number of industries, including the payments market. The phone-paid market also has certain characteristics which can put vulnerable consumers at greater risk of harm and/or detriment.

Characteristics that may lead to a consumer being considered vulnerable include (but are not limited to):

  • lack of English language skills or low literacy and/or numeracy skills 
  • disability or mental health condition
  • low level of technical/IT literacy
    • age – including children (defined as under 16 years of age) and older people
    • learning difficulties or low mental capacity
    • addiction.

Circumstances that may lead to a consumer being vulnerable include (again not limited to):

  • income shock, e.g. due to job loss or being victim of a financial scam
  • bereavement
  • domestic abuse, including financial control and abuse 
    • some services attractive to children and younger people
    • some services attractive to people in difficult circumstances which could lead to them being vulnerable, e.g. ICSS for people under financial pressure seeking to make insurance claims or reach their banks or people trying to access essential public services such as jobseekers allowance
    • some services attractive to people with existing vulnerabilities, e.g. gambling services which appeal to people with gambling addiction or psychic services which may be attractive to recently bereaved people
    • multiple players in the value chain, which can make it harder for vulnerable consumers with limited tenacity or capacity to complain and seek redress when things go wrong (Report-on-consumer-vulnerability-26-08-2020f.pdf)
  • sudden and unexpected situation causing strife, e.g. illness or relationship breakdown.

Unlike characteristic-based causes of vulnerability, vulnerability caused by circumstances is often more temporary in nature.

There are also some characteristics of some services in the phone paid services market that may put vulnerable consumers at greater risk of harm include (again not limited to):

  • low value, quick transactions which lead to impulse purchases
  • purchases often made on the go, using a small screen
  • some services attractive to people in difficult circumstances which could lead to them being vulnerable, e.g. ICSS for people under financial pressure seeking to make insurance claims or reach their banks or people trying to access essential public services such as jobseekers allowance
  • some services attractive to people with existing vulnerabilities, e.g. gambling services which appeal to people with gambling addiction or psychic services which may be attractive to recently bereaved people
  • multiple players in the value chain, which can make it harder for vulnerable consumers with limited tenacity or capacity to complain and seek redress when things go wrong (Report-on-consumer-vulnerability-26-08-2020f.pdf)

The Code (paragraph D.2.79) defines a vulnerable consumer as:

A consumer who is less likely to make fully informed or rational decisions due to a specific characteristic, circumstance or need and may be likely to suffer detriment as a result.

This definition is deliberately broad and recognises that all consumers could potentially be vulnerable.

Taking responsibility for ensuring phone-paid services take account of vulnerable

Intermediary and merchant providers need to ensure that they nominate somebody within their organisation to be responsible for ensuring the needs of vulnerable consumers are being taken into account. This person (or persons) should be of an appropriate level of seniority and influence, and have sufficient authority and influence within the organisation to be able to drive forward change if necessary. We recognise this might work differently across providers.

Developing policies and procedures for vulnerable consumers

The PSA accepts that in the phone-paid services market it is not always easy to identify vulnerable consumers but despite this, the PSA does expect providers to have knowledge and an understanding of their consumer profile and to act in a way which does not create or exacerbate vulnerabilities. When designing policies and procedures for vulnerable consumers, we expect providers to take an inclusive approach to who may be considered vulnerable.

Developing policies and procedures for vulnerable consumers will greatly assist in preventing any potential harm and/or detriment for vulnerable consumers.

The following table is intended to assist intermediary and merchant providers in terms of what  should be included within policies and procedures and the key things to think about.

 

 

What should be included in policies and procedures for vulnerable consumers?

 

Checklist of things to think about

 

Identification of risks

 

The PSA would expect to see that intermediaries and merchant providers have:

 

  • identified who their target market is, including whether any services are likely to appeal to vulnerable consumers or particular types of vulnerable consumer, including children (defined in the Code as under the age of 16)
  • considered whether the ways in which services are advertised and marketed might attract vulnerable consumers. This should include whether the style, content, and composition of the promotional material might make it particularly attractive to children.

     

     

  • used existing customer data and ongoing monitoring information to identify any additional risks, especially around customer care.
  • thought about the characteristics and circumstances that can lead to consumers becoming vulnerable and to test their systems to ensure they adequately anticipate and can respond to any reasonably foreseeable vulnerable customer needs

Controls in place to mitigate those risks

 

The PSA expects intermediaries and merchant providers to be able to demonstrate that they have thought about the sorts of controls they may need to put in place, to mitigate the risks they have identified. The sorts of controls which intermediary and merchant providers might need to put in place include:

 

  • if services are likely to be attractive to children, promoting how parental controls can be put in place

     

  • if a service is restricted to people over 16 or over 18, appropriate controls should be in place to enable them to meet Code Requirements 3.5.8 – 3.5.11)

     

  • ensure that they have appropriate mechanisms in place to identify excessive use of phone-paid services (see Fairness Guidance for more information)

     

  • if an advertising channel is suspected of driving vulnerable consumers to the service, this may need addressing with any marketing partners

     

  • ensuring customer care staff have appropriate resources and reference materials at their disposal, so they can speak with vulnerable customers with knowledge and confidence and provide a level of service that meets their needs

     

  • training for staff to enable them to recognise and respond appropriately to the explicit and implicit signs of potential consumer vulnerability

     

  • some providers might want to consider training a smaller number of staff who could act as "specialists" in which case they would need to ensure that all staff are able to pass queries on without delay or inconvenience for the customer.

 

Procedures to ensure fair and proper treatment

 

The PSA would expect to see that intermediaries and merchant providers have:

 

  • paid particular attention when developing their procedures to ensure they meet with the Requirements around customer care (3.5.3), provisions that apply specifically to children (3.5.5, 3.5.6 and 3.5.7) and where applicable age verification (3.5.4, 3.5.8, 3.5.9, 3.5.10 and 3.5.11)

     

  • ensured that their complaint handling is sensitive and aware of the potential for consumer vulnerability (3.4.11).

 

Mechanism for internal approval and review, and ongoing monitoring

 

The PSA would expect to see that intermediaries and merchant providers have:

 

  • clearly identified an individual responsible for approving the policy and procedures

     

  • set out what monitoring will be undertaken, by whom and how often. It is recommended that monitoring data/evidence is reviewed at least twice a year

     

  • clearly identify how often the policy and procedures will be reviewed. It is recommended that this is done at least annually.


Policies need to be available to the PSA on request.

Using policies/monitoring effectiveness

To meet the Requirements of this Standard it is not sufficient to simply have policies and procedures concerning vulnerable consumers in place, they should be monitored and used effectively in the promotion and delivery of phone-paid services.

To monitor effectively, providers will need to gather and use relevant data and other evidence and information. The PSA accepts that gathering data in relation to vulnerable consumers can be difficult and will not always be available. However, the PSA does expect providers to make reasonable efforts to enable them to identify complaints from vulnerable consumersSuggestions as to the sort of data or other evidence that could be used to help monitor the  effectiveness of policies and procedures includes (but is not limited to):

  • data which indicates how many readers, viewers, or listeners of a publication, broadcast, or other media where the service is promoted, are children (or some other vulnerable group)
  • relevant feedback from any user testing
  • data that identifies if there are any patterns in the level or distribution of complaints, e.g. do a number involve, for example, children (or some other vulnerable group)
  • patterns of unusual use and/or spend (see the Fairness Standard guidance for more information on excessive use)
  • feedback from customer care staff which could include call recordings of customer care staff dealing with vulnerable consumers
  • an evaluation method at the end of any training to ensure it has been well understood and implemented effectively.

The PSA expects providers to be able to demonstrate how they are using their policies and procedures effectively in the promotion and delivery of phone-paid services. The sort of evidence that intermediary and merchant providers might provide to the PSA to demonstrate this could include (but is not limited to):


  • any discernible change in the pattern of complaints received from vulnerable consumers which indicates an increased level of satisfaction with the service and/or quicker resolution of complaints received from vulnerable consumers
  • increased satisfaction scores from vulnerable consumers
  • demonstration of how complaints data or other information from vulnerable consumers has been used to make improvements to the design of services (including promotions) and/or procedures
  • materials used for staff training 
  • materials available for staff to assist them in identifying both the explicit and implicit signs of potential consumer vulnerability
  • changes made to the design and promotion of phone-paid services as a result of identifying particular risks
  • any additional requirements placed on any contractors in relation to vulnerable consumers, e.g. affiliate marketers.

We recommend that such evidence is kept for a period of two years so that it is available to the PSA on request.

Standard

Consumer privacy must be respected and protected.

Requirements
3.6.1

Network operators, intermediary providers and merchant providers must comply with all applicable privacy and data protection laws.

3.6.2

Unless otherwise permitted by law, consumers must not be contacted without their consent. Whenever a consumer is contacted, and on each such occasion, the consumer must be given an opportunity to withdraw their consent to being contacted. If consent is withdrawn, the consumer must not be contacted thereafter. Where contact with consumers is made as a result of information collected from a PRS, the merchant provider of that service must be able to provide to the PSA, on request, evidence which establishes each consumer’s consent to being contacted.

3.6.3
Network operators, intermediary providers and merchant providers must ensure that consumers’ personal data are not collected or passed on to any other person without their consent (as defined by law), unless under a legal obligation to do so or it is necessary for, or in connection with, legal proceedings.

Standard

Promotions and services must be provided in a manner that does not cause harm or unreasonable offence or distress to consumers or to the general public.

Requirements
3.7.1

PRS must not promote, incite, or be likely to promote or incite, hatred in respect of any individual or identifiable group, including by age, disability, sex, gender identity or reassignment, race, religion or belief, or sexual orientation.

3.7.2

PRS must not encourage or be likely to encourage consumers to put themselves or others at risk. Such risks may include financial, personal and/or health-related risks.

3.7.3

PRS must not induce or be likely to induce an unreasonable sense of fear, anxiety, distress or offence in consumers or among the general public.

(ii) Organisations

Standard

Organisations and individuals involved in providing PRS must provide the PSA with timely, accurate and detailed information about themselves and the services they offer or intend to offer.

Requirements
Organisation information
3.8.1

Before a PRS is made accessible to consumers, all network operators, intermediary providers and merchant providers in the relevant PRS value chain must register with the PSA, subject only to paragraph 3.8.9 below.

3.8.2

Registration requires PRS providers to provide such information about themselves and their services as the PSA may require for the purpose of effective and efficient regulation. PRS providers will be required to provide such information through the PSA Register. The PSA will publish details of the information it requires for registration, which will be updated as the PSA considers appropriate from time to time.

3.8.3

In order to register with the PSA, all network operators, intermediary providers and merchant providers must provide the name and contact details of the individual(s) within the organisation, or within any contracted third party, with overall responsibility and accountability for each of the following:

  1. DDRAC policies and procedures, and the oversight of their implementation;
  2. platform security and compliance with the technical standards set out at Annex 3, as updated from time to time (except where voice-based services are being provided);
  3. policies and procedures concerning vulnerable or at-risk consumers, and the oversight of their implementation; and
  4. overall regulatory compliance in respect of PRS.

Merchant providers are not required to provide details in respect of paragraphs 3.8.3(a) and 3.8.3(b) above unless they are also performing the role of an intermediary provider.

3.8.4

The following further Requirements in respect of registration will apply to merchant providers (unless an exemption under paragraph 3.8.9, or a relevant permission under paragraph 2.6.2, applies):

  1. Merchant providers must, before making a service accessible to consumers, provide to the PSA all information (including any relevant numbers and access or other codes) that the PSA requires for the purpose of enabling consumers to identify easily the services they may have used and/or for which they have been charged. The PSA will publish details of the information it requires under this sub-paragraph, which will be updated as the PSA considers appropriate from time to time.
  2. Merchant providers must provide the identity of any other PRS providers involved in the provision of the service, as well as information about any other person contracted for the promotion and/or delivery of the service.
  3. The PSA will include the details provided in accordance with paragraphs 3.8.4(a) and 3.8.4(b) above on the PSA Register. Those details will also be made freely available to consumers through the PSA’s website.
  4. Whenever any of the information provided under paragraphs 3.8.4(a)–(b) changes, the updated information must be provided to the PSA promptly and in any event within five working days of the change.
3.8.5
Network operators and intermediary providers must each ensure that all PRS and associated access numbers are registered with the PSA (unless an exemption under paragraph 3.8.9, or a relevant permission under paragraph 2.6.2, applies) before enabling a service to become accessible to consumers.
3.8.6

PRS providers must keep all information provided to the PSA as part of registration up to date. The PSA must be notified of any changes to such information promptly and in any event within five working days of the change.

3.8.7

Registration must be renewed annually or at another reasonable interval as determined by the PSA from time to time.

3.8.8

The PSA will impose a reasonable charge for registration and registration renewal. The PSA will set the amount of the charge giving reasonable notice to PRS providers and other interested persons. Unless an exemption applies by virtue of paragraph 3.8.9 below the charge must be paid prior to any PRS provider being deemed by the PSA to be registered.

3.8.9

The PSA may make exemptions from the duty to register, in particular by identifying specific categories of PRS providers and/or services to which the duty to register will not apply and/or any circumstances in which that duty or the requirement to pay a registration charge under paragraph 3.8.8 above will not apply (an exemption).

3.8.10

PRS providers that fall within an exemption are not required to register with the PSA and/or pay a registration charge in relation to any PRS to which the exemption applies.

3.8.11

The PSA will publish a full list of exemptions made under paragraph 3.8.9 above on its website. The list of exemptions may be updated from time to time.

3.8.12

All breaches of this Code or any previous editions of the Code by a PRS provider, and any sanctions imposed as a result, will be linked to that provider’s registered details in the PSA Register, together with any relevant information arising from any determinations concerning associated individuals and/or any other relevant information which is publicly available, for such time as the PSA considers appropriate.

3.8.13

Certain categories of information held by the PSA on its register will be accessible at any time by registered PRS providers, other regulators or any law enforcement agency with a legitimate interest.

3.8.14

A registered PRS provider which is no longer providing any PRS or which only provides PRS that fall within an exemption may de-register at any time. Where a relevant PRS provider is de-registered, their details will continue to be held by the PSA on the PSA Register for a reasonable period, subject to any applicable law.

3.8.15

Any failure to comply with any requirement of paragraph 3.8 will constitute a breach of the Code.

Standard

Organisations and individuals must perform effective due diligence on any person or organisation with whom they contract in relation to PRS, and must conduct a full and thorough assessment of potential risks arising from the provision, content, promotion, and marketing of PRS on an ongoing basis.

The DDRAC Standard acknowledges the importance of effective DDRAC processes which are central to good business practice as it enables all parties in the value chain to operate with confidence and assurance that the practices of those they contract with in the delivery of phone-paid services are compliant and effective.

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid service providers (network operators, intermediary providers and merchant providers) can comply with the Due Diligence, Risk Assessment and Control (DDRAC) Standard and Requirements. It provides more detail on:

  • what to include in effective due diligence policy and procedures
  • undertaking initial risk assessments 
  • what ongoing risk assessment and control processes need to be in place for the lifetime of any particular service/contractual arrangement
  • storage of information
  • responding to incidents, including terminating contracts.

If you have any queries about the guidance or want to discuss your approach to compliance with the DDRAC Standard, please email us at compliance@psauthority.org.uk.

In summary, the responsibilities of the different parts of the value chain are as follows:

Network operators are required to perform DDRAC on any intermediary, merchant, third- party verification platform, or affiliate advertiser with whom they are directly contracted.

Intermediary providers are required to perform DDRAC in respect of any contracted downstream party involved in the provision of a particular service. This includes any other intermediary provider, third-party verification platform, affiliate advertisers or merchant provider with whom they are directly contracted.

Merchant providers may be required to perform risk assessment and control on clients with whom they are directly contracted to facilitate the provision of a service, this includes affiliate advertisers and any outsourced customer care facilities. Merchant providers should note that while they are not directly required to do so by the Code, they may, through any contractual arrangements with network operators or intermediaries, be obliged to perform DDRAC on any third-party they contract with who is involved in the provision of a service, as per Code Requirement 3.9.12).

All information gathered in respect of due diligence, and/or risk assessment and control must be made available to the upstream value chain and the PSA on request.

Requirements
3.9.1

Network operators and intermediary providers must undertake thorough due diligence on any person with whom they contract in connection with the provision of PRS prior to entering into any contract and/or rendering any service accessible to consumers.

The PSA expects parties in a value chain to carry out effective due diligence before contracting with another party to provide a phone-paid service, and to use this information to undertake a risk assessment on each of their clients and services. The purpose of undertaking due diligence before a commercial agreement commences, or a service is accessible to consumers, is to ensure that providers fully understand the organisations they contract with in the delivery of a phone-paid service.

A non-exhaustive list of the types of information to be collected as part of due diligence checks can be found at Annex 2 of the Code. The requirements at Annex 2 represent the minimum level of information to be collected where such information exists and is obtainable. Should a network operator or intermediary provider deem additional information is appropriate in certain circumstances to satisfy its own due diligence requirements, Annex 2 does not preclude or otherwise limit the scope of information that can be collected.

This information should be retained as set out in our data retention notice and remain available to the network operator or intermediary provider as relevant, to enable their own assessment of the due diligence performed by their contracted parties on other participants involved in the provision of each service.

As required by Code paragraph 3.9.6, network operators and intermediary providers are only required to undertake DDRAC on those parties with whom they have a direct contractual relationship. We do not expect network operators and intermediaries to have any downstream responsibilities for third parties with whom they do not have any direct contractual relationship. But what we do expect network operators and intermediary providers to do is include in their contracts (Code paragraph 3.9.12) a requirement that the parties they contract with include DDRAC obligations in their own contracts with others involved in the provision of the services. It is in this way that DDRAC flows from network operator to intermediary and on to other parties in the value chain which could include other intermediaries, merchants or third parties.

Where a network operator or an intermediary provider does not have a direct contractual relationship with a party not directly within value chain (for example, a third-party verification platform or an affiliate marketer), we expect the party who contracts with the third party to include due diligence requirements in their contract. There should also be arrangements that enable sharing of due diligence information across the value chain to assist all parties in the value chain to be able to assess any potential risks effectively.

Where a network operator or intermediary provider contracts with an app store, we do expect that the network operator or intermediary provider has a good understanding of what checks, systems and processes contracted parties have in place to ensure that third-party app store services are unlikely to cause potential harm. But this does not mean that network operators or intermediary providers are responsible for conducting DDRAC in respect of all the apps/games which are available through that app store.

The use of third-party compliance or auditing houses does not absolve providers of their DDRAC responsibilities. The use of such companies may assist with the ongoing risk assessment that networks and providers are expected to undertake, for example by providing monitoring of services, but on its own is unlikely to be considered sufficient.

Providers using third parties to undertake monitoring should ensure they undertake due diligence on such companies aligned with the expectations as set out in Code Annex 2 and supported by this guidance.

We recommend that network operators and intermediary providers take steps to understand the particulars of the services being operated on an ongoing basis. This should include network operators and intermediary providers collecting, and keeping up-to-date, information on the service types being offered by providers and whether any of those services fall into categories of service subject to service-specific Requirements. Network operators and intermediary providers should ensure that they are fully aware of the services being provided, inclusive of any specific requirements which may be applicable to that service type or payment mechanism. For example, where number ranges are allocated by a network to an intermediary for voice services, the network in question should ensure they are fully aware, through the intermediary provider, of the types of services their merchants are using the numbers for, as well as any specific requirements which may be applicable to those service types, for example, the recording of live entertainment services or any applicable call length or spend limits.

Using due diligence information to undertake an initial risk assessment

The information collected as part of due diligence enquiries prior to a contract commencing or prior to a service going live should be used by the relevant party to develop an initial assessment and/or risk score in relation to that party, the value chain overall and the relevant services. This will enable them to put in place appropriate risk controls to ensure the compliant delivery of phone-paid services to consumers.

Generally, we consider that all new clients and/or services would be likely to need a greater level of risk control than established services. This is on the basis that there is often limited information on which to base the initial risk assessment. The risk score or rating should also consider:

  • the service type being delivered
  • the length of time a provider has been active in the phone-paid services market – both in the UK and in other markets
  • the compliance history of the party or any breach history relating to the service if they have been active in the UK market before
  • the processes in place for addressing any issues and sharing information across the value chain to ensure any issues are dealt with promptly and effectively.

As the relationship and experience with the client develops, the assessment of the level of risk that the client and/or service(s) pose can be adjusted. We recommend that network operators, intermediaries and merchant providers review risk assessment and control processes periodically to ensure that they remain effective. The review period will depend on each client; the confidence established through ongoing relationship, the complexity of the role within the value chain and any risks associated with the service offered. Where longer intervals between periodic reviews on a particular client are established, this should be on the basis that an extended period between reviews can be fully justified and evidenced should issues come to light.

3.9.2

Network operators, intermediary providers and merchant providers must continually assess the potential risks posed by any person with whom they contract in respect of the provision, content, promotion, and marketing of PRS. Network operators, intermediary providers and merchant providers must take and maintain effective and ongoing steps to control and mitigate any risks identified.

3.9.3

Network operators and intermediary providers must comply with the additional due diligence Requirements set out at Annex 2. The PSA may update these additional due diligence Requirements from time to time following comment and approval by Ofcom, and following reasonable consultation where the PSA considers it to be appropriate. The PSA will provide notice of any such updates by publishing them on its website no less than 30 days before any updated DDRAC Requirements come into force.

3.9.4

PRS providers must only enter into contracts relating to PRS with other PRS providers that are registered with the PSA, except where an exemption from registration applies under paragraph 3.8.9 above.

3.9.5

Where an intermediary provider is seeking to facilitate provision of a PRS that was previously operating through a different intermediary provider, they must comply with all DDRAC Requirements in respect of the relevant merchant provider and/or service. This includes (but is not limited to) verifying any data that has been migrated to them from the previous intermediary provider. Reliance on any information obtained in the course of any previous DDRAC undertaken in respect of the merchant provider will not be sufficient to meet the Requirement of this paragraph.

3.9.6

Network operators and intermediary providers must have written DDRAC policies and procedures in place. Any such policies and procedures must be approved by the director or equivalent person within the relevant organisation who has overall responsibility for DDRAC compliance in respect of each value chain and PRS.

Network operators and intermediary providers must have clear and effective DDRAC policies and processes in place. While merchant providers are not required by the Code to have due diligence policies and processes in place, they may be contractually required through the value chain to put them in place in addition to the risk assessment and control policies and processes they should have in order to meet their obligations under Code Requirement 3.9.2.

We recommend that DDRAC policies and procedures set out:

  • the information that the network operator or intermediary provider will collect as part of due diligence, prior to a commercial relationship commencing. This should include the information listed at Code Annex 2.3.
  • how such information will be verified and retained 
  • how information will be used to undertake the initial risk assessment
  • the circumstances in which a provider may make additional enquiries of parties that they contract with, e.g. where the information provided as part of due diligence processes flags risks or issues that require further investigation
  • the checks and verification measures that must take place prior to making a migrated service available to consumers
  • the processes and timeframes for when and how a provider will review the information it holds to ensure it is up to date
  • how risks will be recorded – in the case of an issue, the explanation should set out exactly when and how it was discovered, and by whom
  • how identified risks will be responded to, and the steps that should be taken to prevent potential consumer or regulatory harm – this should include a timestamped record of who has signed them off as being completed and when
  • how incidents will be recorded
  • a procedure or action plan which sets out how the provider will respond to issues of suspected or evidenced consumer harm and/or non-compliance. This includes ensuring that any contractual requirements are being complied with, and that information is shared between the parties in a timely manner.
  • the circumstances in which contracts may be terminated, and the process surrounding notification of such termination. This should include clear, documented consideration of whether intermediary or merchant providers should be suspended or have their contracts terminated in relation to more services incidents and clearly documented consideration of whether a sequence of incidents warrants suspension or contract termination.
  • who in the organisation has the overall responsibility and oversight for reviewing DDRAC information, including the authority to take decisions including sign-off – a director or the equivalent person with responsibility for DDRAC within the organisation
  • who in the organisation is responsible for reviewing DDRAC processes on an ongoing basis to ensure they remain fit for purpose and are operating effectively – a director, or the equivalent person with responsibility within the organisation.

DDRAC policies and procedures should be version controlled (where updated over time) and provided to the PSA on request.

3.9.7

All DDRAC undertaken by network operators and intermediary providers in relation to each person with whom they contract must be reviewed and signed off by a director or the equivalent person with responsibility for DDRAC within the relevant organisation.

3.9.8

Network operators must have contracts in place that allow them in appropriate circumstances to suspend or terminate their relationships with intermediary providers where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.

Network operators must have contracts in place which allow them to suspend or terminate their contractual relationship with intermediary providers in circumstances where non- compliant activity is discovered (Code Requirement 3.9.8). In addition, they should take effective action against intermediary providers whose platforms facilitate non-compliant activity, such as charging consumers without consent or where they reasonably suspect this to be the case.

This should include clear, documented consideration of whether intermediary providers should be suspended or have their contracts terminated in relation to more serious incidents and clearly documented consideration of whether a sequence of incidents warrants suspension or contract termination.

Intermediary providers should have contracts in place which allow them to suspend or terminate their contractual relationship with any merchant or third party consent verification platforms based on non-compliant activity, or where they reasonably suspect that such activity has or is occurring (Code Requirement 3.9.9).

This should include clear, documented consideration of whether merchant providers or third parties should be suspended or have their contracts terminated in relation to more serious incidents and clearly documented consideration of whether a sequence of incidents warrants suspension or contract termination.

3.9.9
Intermediary providers must have contracts in place that allow them to suspend or terminate their relationships with merchant providers or third-party content verification providers where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.9.10

Network operators and intermediary providers must make provision, in each contract they enter into in respect of PRS, which requires the other party to the contract to provide information gathered in the course of conducting DDRAC to the relevant network operator or intermediary provider and/or to the PSA on request, including information related to any third parties, to the extent permitted by law.

The PSA recommend that any party undertaking DDRAC should have a process for risk assessment in place for each of their clients and each service that the client is operating. Ongoing risk assessments are dynamic and need to be responsive to the information that is shared across the value chain. For example, a merchant provider may be considered to have a low risk profile if they have operated services with limited issues over a long period. But if that merchant provider wants to operate a new service type where the level of risk is yet to be established, we recommend that this be taken into account and monitored closely until there is sufficient data available to evidence that the service is operating effectively.

Agreements should be in place between parties in the value chain to enable information to be shared as per Code Requirement 3.9.10, so that risks can be identified and steps taken to mitigate them.

We recommend this includes information about both the services being operated and the organisation operating them. For example:

  • information about changes to the method of promotion or sign-up 
  • ·numbers of consumers using a service
  • complaints data
  • refunds processes and procedures, and data on refunds issued (including any goodwill payments made)
  • information about any breaches being investigated by the PSA
  • alterations to the company structure or appointments of new staff in key positions
  • alterations made to the service and/or promotional methods.  

Network operators, intermediary providers and merchant providers should be able to demonstrate that this information has not been tampered with in any way and has been securely stored since the records were created. Network operators, intermediary providers and merchant providers within the value chain should undertake their own checks and monitoring or have access to information as needed to satisfy themselves that the service is operating effectively. Internal checks should be undertaken when there are unusual patterns of activity which may indicate consumer harm (e.g. spikes in traffic and/or consumer complaints made directly to the provider of the service).

Network operators, intermediary providers and merchant providers should periodically test and/or monitor risks, as appropriate to a particular provider or third party or service category (e.g. for a subscription service, it may be prudent to test the clarity of promotions, and whether receipts have been sent). We recommend that risks be recorded and updated in a risk register or equivalent document.

The frequency of such testing should be based on the risk assessment. For example, it may be appropriate to monitor a client with no breach history, or where none of the directors are linked to other companies with breaches, or where the service type is considered lower risk, less frequently than where those factors exist. However, a dynamic assessment will need to be made, based on up-to-date information shared between the parties.

We recommend that network operators, intermediary providers and merchant providers have in place and periodically review:

  • a procedure or action plan which sets out how the contracted party will respond to issues of suspected or evidenced consumer harm and/or non-compliance. This includes ensuring that any contractual requirements are being complied with, and that information is shared between the parties in a timely manner
  • a plan for how the client’s service or activity will be periodically monitored, based on the risk assessment, which includes:
    • monitoring to check that agreed promotional material and promotional methods being used match those seen by consumers
    • ensuring that complaint-handling processes are effective, timely and consistent.
  • processes to ensure that the intermediary provider or merchant provider (as relevant) responds to any PSA request in a timely manner
  • internal mechanisms to enable "whistleblowing" by staff, where appropriate.

This action plan/procedure should be reviewed from time to time and at least annually, to ensure it is operating effectively and enabling network operators, intermediary providers and merchant providers to assess and respond to risks as required.

3.9.11

Network operators and intermediary providers must take reasonable steps to satisfy themselves that any contracting party involved in the provision of a PRS meets the DDRAC Standard and Requirements in respect of any other person in the value chain with whom that party contracts.

3.9.12

Network operators and intermediary providers must ensure that any persons with whom they contract include DDRAC obligations in their own contracts with any other persons in the PRS value chain who are involved in the provision of the service. Such DDRAC obligations must enable information gathered in the course of conducting DDRAC to be shared across the value chain and with the PSA upon request, to the extent permitted by law.

3.9.13

Where a network operator contracts with a PRS provider which is acting in the capacity of both an intermediary provider and a merchant provider, the network operator is responsible for undertaking DDRAC in respect of that provider and its services.

3.9.14

Network operators, intermediary providers and merchant providers must use the information obtained through their DDRAC processes to inform their ongoing risk assessment and control in respect of each person with whom they contract and any associated services, having regard to any guidance issued by the PSA from time to time.

3.9.15
Network operators, intermediary providers and merchant providers must make available to the PSA upon request all documentation in relation to DDRAC within a reasonable time period specified by the PSA, to the extent permitted by law. 

Storage of information

All procedures for DDRAC should set out proper processes for collecting and storing the information gathered. All DDRAC evidence obtained should be:

  • collated and retained in a dedicated and secure location
  • backed-up to prevent data loss.

All relevant information in relation to a particular organisation/service should therefore be able to be accessible and provided in an appropriate format when requested by PSA.

Measures should be taken to ensure that evidence to support due diligence, risk assessment and control processes does not become inaccessible due to staff changes, human error, or technical failure.

Providers should ensure that they refer to and comply with the data retention notice issued by us which sets out the various categories of data that must be retained and the applicable retention periods.

Responding to incidents

We recommend that network operators, intermediary providers and merchant providers respond to incidents proactively and in line with their established procedures. We recommend that parties work closely with us in line with our supervision and engagement activities, and with other parties in the value chain to identify, mitigate and rectify any issues, including providing support to consumers.

Breaches should be identified and notified promptly to the PSA when they arise so they can be remedied, and services therefore delivered to a high standard to consumers.

To limit and address consumer harm, providers are encouraged to proactively alert us to any incidents regarding its own or third-party services. We will consider proactive cooperation when deciding about the most appropriate action to take (if any). Should enforcement action be deemed necessary, such cooperation will be considered as a mitigating factor.

 

 

Standard

All systems, including payment and consent verification platforms, used for the provision of and exit from PRS must be technically robust and secure.

Requirements
3.10.1

All network operators and intermediary providers must appoint one or more suitably qualified or experienced person(s) with overall responsibility for security and fraud in respect of PRS.

3.10.2

All intermediary providers must have a single point of contact (SPoC) who acts as the point of contact for the PSA regarding systems issues and security. The SPoC should be registered as such with the PSA and should be a suitably qualified or experienced person with technical expertise in systems issues and security.

3.10.3

All intermediary providers (except where they are providing voice-based services) must comply with the technical standards set out at Annex 3. The PSA may update these technical standards from time to time (in line with technological advances) following comment and approval by Ofcom, and following reasonable consultation where the PSA considers it to be appropriate. The PSA will provide notice of any such updates by publishing them on its website no less than 30 days before any updated technical standards come into force.

3.10.4

All intermediary providers (except where they are providing voice-based services) must have their platform security-tested on an annual basis by a third party which appears on the NCSC Approved List. Results of any such security test must be submitted to any network operator(s) with which the relevant intermediary provider has a contractual relationship.

3.10.5

All intermediary providers must act upon any security alerts or flags, whether received from their own monitoring or from information shared by others, in a timely manner.

3.10.6

Network operators must ensure that any platform security test results submitted to them in accordance with paragraph 3.10.5 are assessed by suitably qualified or experienced staff with the requisite technical expertise to analyse the results and make appropriate recommendations.

3.10.7

Network operators and intermediary providers must provide the results of all intermediary provider platform security tests to the PSA in accordance with any request made pursuant to Section 4 or any direction for information made under paragraph 6.1 of this Code.

3.10.8

Network operators must have contracts in place that allow them in appropriate circumstances to suspend or terminate their relationships with intermediary providers:

  1. on the basis of a technical or security threat or issue; and/or
  2. where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.10.9

Intermediary providers must have contracts in place that allow them to suspend or terminate a payment facility to any merchant provider or third-party content verification platform:

  1. on the basis of a technical or security threat or issue; and/or
  2. where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.10.10

Any evidence created and stored in relation to the Requirements for obtaining consent to charge set out at paragraphs 3.3.6–3.3.17 above must be independently auditable and provided to the PSA upon request.

3.10.11

Where a PRS provider engages any third party to undertake activities to obtain or verify consumer consent to charges on its behalf, it must require that third party by contract to supply the PSA with any relevant data or information upon request, to the extent permitted by law.

3.10.12

Network operators must have in place contracts with intermediary providers which allow for the randomised testing of platforms, including third-party platforms, at any time. Network operators must retain the right to refuse to accept verifications by any third-party platform at their discretion.

3.10.13

All network operators and intermediary providers must implement a coordinated vulnerability disclosure scheme and act upon any issues reported.

All systems, including payment and consent verification platforms, used for the provision of and exit from phone-paid services must be technically robust and secure.

The guidance sets out the PSA’s expectations and provides more detail on how phone- paid service providers (network operators, intermediary providers and merchant providers) can comply with the Systems Standard and Requirements. To support compliance with the Systems Standard, this guidance provides more detail on:

  • technical expectations
  • setting intruder traps – e.g. decoy network services or credentials
  • conducting proactive threat hunts
  • risk management and control
  • staff roles and responsibilities.

All platform providers must take reasonable actions within the context of their role to ensure that all of the phone-paid services they are involved in are of an adequate technical quality, including the mechanisms used to deliver services to and to enable exit of services by consumers.

If you have any queries about the guidance or want to discuss your approach to compliance with the Systems Standard, please email us at compliance@psauthority.org.uk.

Expectations around robust systems

Robust systems are those which have adequate technical and risk control procedures and records that demonstrate any charging cannot have been initiated in any way other than from the informed consent of a consumer.

Systems expectations can be split into three categories:

  • technical expectations 
  • risk management and control
  • staff roles and responsibilities

These expectations apply to all platforms. This includes payment/consent platforms provided by any intermediary provider who is part of a value chain, and consent verification platforms provided by third parties (whether they sit within a value chain, or have been contracted by a merchant provider, intermediary provider, or network within it, or indirectly provide consent verification services to it).

Technical expectations

These are set out at Annex 3 of the Code. The PSA’s technical expectations for payment and consent verification platforms take into account that it is possible to arrive at robust proof of informed consent through different approaches depending on the design of a platform’s technical architecture. Nonetheless, there are universally accepted standards regarding the underlying software platforms used to operate, and the protocols they use to interface with web pages and other external systems. The technical expectations which we set focus on these universal standards.

Risk management and control

Poor risk management can lead to Systems being compromised. It is important that all relevant providers involved have adequate processes to quickly identify, record, communicate and control risk, and to incorporate lessons learned into processes.

All parties involved in provision of phone-paid services should maintain a security risk/issues register. The register should record any identified risks or issues on an ongoing basis, and set out as a minimum the following:

  • an explanation of the risk or issue – in the case of an issue, the explanation should also set out exactly when and how it was discovered, and by whom
  • the actions taken to mitigate/resolve the risk/issue – with a timestamped record of who has signed them off as being complete and when
  • any further ongoing actions (which can be transferred to “actions taken” as above, once they are complete and signed off)
  • the individuals within the organisation responsible for ongoing actions.

The PSA also recommends that active threat monitoring measures are implemented to monitor systems and alert staff in real time. These measures should aggregate data from across the platform, understand traffic patterns, and provide detailed information about potential attacks or exploits. This should include, but not be limited to:

  • leveraging threat intelligence from previously seen attacks
  • analysing consumer behaviour – e.g. transaction logs, transaction times, user agent/device, x-header requests, associated URLs, IP addresses, time deltas between double opt-ins, repeat transactions, unfinished transactions, repeat unfinished transactions and their frequency
  • analysing merchant provider behaviour – e.g. what kind of data they access and how frequently, whether apps are requesting payment pages
  • performing “attacker behaviour” analytics
  • conducting “red team/blue team” penetration testing using discovered malware.

All parties involved in the provision of phone-paid services should act on any security alerts or flags, whether from their own monitoring or information shared by others, in a timely manner (Code Requirement 3.10.5). An example template for recording security breaches, or attempted breaches, is attached at Appendix B. The use of this template is voluntary; however, it does set out the level of detail the PSA would expect to receive around any security breaches or attempted breaches where relevant to an investigation.

The PSA recommends that each platform should be tested by a CREST-accredited third party or a third party with an equivalent accreditation on an annual basis. Testing should identify and score exploits according to the OWASP taxonomy and the CVSS scale. The results of these tests should be made available to all mobile network operators and provided to the PSA on request. Any identified exploit with a CVSS score of 4.0 or over should be fixed or mitigated immediately. The platform, and services that are using it (or in the case of third-party consent verification platforms, just the services that are using them) may be in breach of the relevant Code Requirements (Code Requirements 3.10.4, 3.10.5 and 3.10.6) until the fix has been completed, as independently verified by the tester.

In line with DDRAC Requirements, intermediary providers should have contracts in place which allow them to suspend or terminate payment their contractual relationship with any merchant or third-party consent verification platforms on the basis of non-compliant activity, such as charging consumers without informed and robust consent, or where they reasonably suspect that such activity has or is occurring.

Also in line with DDRAC Requirements, mobile network operators should have contracts in place which allow them to suspend or terminate their contractual relationship with providers in circumstances where non-compliant activity is discovered. In addition, they should take effective action against intermediary providers whose platforms facilitate non-compliant activity, such as charging consumers without consent or where they reasonably suspect this to be the case.

This should include clear, documented consideration of whether intermediary providers should be suspended or have their contracts terminated in relation to more serious incidents and clearly documented consideration of whether a sequence of incidents warrants suspension or contract termination.

The PSA recommends that mobile network operators should have contracts in place which permit them to conduct further random testing by the accredited third party at any time on any intermediary provider’s payment platform (Code requirement 3.10.12), and to document any findings and when and how improvements are made as a result of them.

The PSA’s Guidance on DDRAC provides further guidance on the PSA’s expectations in respect of risk management and control.

Network operators and intermediary providers must implement a coordinated vulnerability disclosure scheme (Code Requirement 3.10.13). This will enable providers to work cooperatively with security researchers and other relevant persons to find solutions to remove or reduce any risks associated with an identified vulnerability in their services and/or systems. The aims of a vulnerability disclosure scheme include ensuring that identified vulnerabilities are addressed in a timely manner; removing or minimising any risks from any identified vulnerabilities; and providing users with sufficient information to evaluate any risks arising from vulnerabilities to their systems.

There are a range of resources available to providers to assist them in developing coordinated vulnerability disclosure schemes including an ISO standard.

Staff roles and responsibilities

To enable the identification of risks and ensure they are communicated and controlled, the PSA has set out expectations around roles and responsibilities and staff training. Staffing decisions are a matter for the company concerned. However, given the importance of platform security, the PSA’s expectation is that all platform providers have adequate resource, either internal or externally contracted, focused on security and fraud. The PSA recommends that security staff should be able to meet the following competencies:

  • ability to evaluate risks in platforms and software and research security incidents
  • good understanding of web security and internet security tools
  • understanding of threat modelling.

The PSA’s expectation under Code Requirement 3.10.1 is that all platform providers have an assigned Head of Security or other equivalent senior role. The PSA recommends that a Head of Security or equivalent senior person should be able to meet these competencies:

  • demonstrable knowledge of the latest security thinking and threat modelling methods
  • ability to manage complex IT platform overhaul projects, if required
  • significant knowledge and experience of IT/web security to enable the effective identification, management and control of security and fraud risks
  • significant knowledge and experience of security management systems and processes.

Where such a role is vacant as a result of staff departure or absence, then responsibility should shift upwards to a more senior member of staff.

 

Each intermediary platform provider must have a nominated Single Point of Contact (SPoC) whose details have been shared with the PSA via the PSA Registration System (Code Requirement 3.10.2), the connecting network(s) and any relevant industry stakeholders. This is so that if an incident does occur, no time is wasted in investigating and rectifying issues.

 

We recommend that all relevant providers ensure that platform development staff are trained in secure development techniques and have an understanding of relevant risks and threats to an appropriate level. Training should be undertaken periodically, to take account of threat and risk evolution and to keep skills current. 

 

Our expectation is that all platform development staff should build their understanding of relevant risks and threats into any development work they carry out. Relevant providers will be expected to be able to demonstrate this on request by the PSA.

The PSA’s expectation is that all platform or other systems development – including but not limited to new protocols for phone-payments – should have their functionality reviewed by the provider’s security team before they go live.

The PSA recommends that the Head of Security (or equivalent senior person) should have the authority to veto any protocols or solutions and ensure that any systems changes are not implemented without an audited assessment and approval from the security team. Where the decision is taken not to follow this recommendation, the provider should be able to demonstrate how they achieve an equivalent level of assurance. An example of template for recording such an assessment is attached at Appendix B. The use of this template is voluntary and is intended to set out the level of detail the PSA would expect to receive about assessments where relevant to an investigation.

 

   Appendix A – Glossary of technical terms

Attacker behaviour analytics - where web and payment platforms analyse previously known patterns of cyber-attacker behaviour and use the trends in that data to identify repeats of those attacks, or the next potential variants of those attacks.

Authentication cookies - the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. A cookie is a small piece of data sent from a website and stored on the user’s device by the user’s web browser while the user is browsing. This is usually to remember information, such as any items a user has added to a shopping cart, or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited). They can also be used to remember information that the user previously entered into form fields such as names, addresses, passwords, and card details or phone numbers for payment.

Content Security Policy (CSP) - a computer security standard introduced to prevent various types of attacks where malicious code is injected into a trusted web page. CSP works by providing a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website. Anything which is not approved cannot be loaded.

Coordinated vulnerability disclosure scheme - a scheme established to enable network operators and/or intermediary providers to work cooperatively with security researchers and other relevant persons to find solutions to remove or reduce any risks associated with an identified vulnerability in their services and/or systems. Such a scheme involves the reporting of vulnerabilities to network operators and/or intermediary providers by security researchers, and the coordination and publishing of information about a vulnerability and its resolution. The aims of vulnerability disclosure within such a scheme include ensuring that identified vulnerabilities are addressed in a timely manner; removing or minimizing any risks from any identified vulnerabilities; and providing users with sufficient information to evaluate any risks arising from vulnerabilities to their systems.

Council for Registered Ethical Security Testers (CREST) - an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provide internationally recognised accreditations for organisations, and professional-level certifications for individuals providing various types of cyber-security services.

Cross-Site Scripting (XSS) - a type of computer security vulnerability which typically exploits known vulnerabilities in web-based applications, their servers, or the plug-in systems in which they rely. An attacker “injects” malicious coding into the content being delivered by the web application. When the resulting “combined” content arrives at the user’s web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system.

Common Vulnerability Scoring System (CVSS) - a free and open industry standard for assessing the severity of computer system security vulnerabilities, created following research by the US National Infrastructure Advisory Council in 2003/04. Vulnerabilities are rated on a scale of one to ten, with ten being the most severe.

Hyper Text Transfer Protocol (HTTP) - the underlying protocol used by the World Wide Web, which defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands.

Hyper Text Transfer Protocol Secure (HTTPS) - the secure version of HTTP. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data.

HTTP Strict Transport Security (HSTS) - a web security policy mechanism that allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure (HTTPS) connections, and never via the insecure HTTP protocol. A website using HSTS must never accept clear text HTTP and either not connect over HTTP or systematically redirect users to HTTPS.

Mobile Origination message (MO) - a text message which has been originated on, and sent from, a mobile device. These can be either free – i.e., the cost of sending the message is that of sending a standard text – or charged at a premium when the text is received by the mobile shortcode to which it was sent.

Mobile Termination message (MT) - a text message which is received by a mobile device. These can either be free – i.e., receiving the message costs the recipient nothing – or charged at a premium when the device receives the message. In the context of phone payment, MT messages are usually generated by an intermediary in response to consumer interaction with a Level 2 provider merchant. Where they are not, it may be that the message and any associated charge was unsolicited.

National Cyber Security Centre (NCSC) - an organisation of the UK Government that provides advice and support for the public and private sector on how to avoid computer security threats. One of their products is the NCSC Cyber Security Essentials certification, a set of basic technical controls to help organisations protect themselves against common online security threats. Cyber Essentials is backed by industry including the Federation of Small Businesses, the Confederation of British Industry and a number of insurance organisations which are offering incentives for businesses. From 1 October 2014, the Government has required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.

Network internet provision - an Internet service provider (ISP) is an organisation that provides services for accessing, using, or participating on the Internet. Where a consumer uses the internet access provided by their network to browse the web with their device, this is known as “Network IP”.

Open Web Security Application Project (OWASP) - a worldwide not-for-profit charitable organisation focused on improving the security of software, so that individuals and organisations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues free, open-source software tools and knowledge-based documentation on application security. The OWASP Top 10 is a project to document the ten most critical categories of security risk to web applications. It represents a broad consensus of a variety of security experts from around the world, who share their expertise to revise the list on a regular basis.

Payload protection -the payload is any message sent by a user’s device to a website or other web application, where that message contains, or has had added, malicious coding. Payload protection is any action or system which seeks to identify and block messages containing malware.

Personal Identification Number (PIN) - a numeric or alpha-numeric password used to authenticate a user so they can access a website, web application, or any other system.

Rate limiting - is used to control the rate of traffic sent or received by a network interface controller. In the context of phone payment, it prevents repeated attempts by an attacker to send the same message or execute the same action. A common example is the rapid and sequential entry of every possible four-digit PIN until the correct one is entered, thus allowing an attacker who does not know the PIN to gain access through repetition.

Red team/blue team testing is where a security function divides into two teams in order to conduct penetration testing. One, the Red Team, uses malware the team has discovered to try and execute that malware on a “sand boxed” version of the platform, with the Blue Team attempting to identify and prevent any attempts.

Threats - known malicious indicators that appear together during specific cyber-attacks. By recording and aggregating intelligence about threats, payment platforms and web applications can identify and prevent further attacks using the same methods and look to predict what variations on previous attacks may appear next.

Transport Layer Security (TLS) - an encryption protocol that protects data when it moves between computers or other devices. When two devices send data, they agree to encrypt the information in a way they both understand. This prevents data being intercepted by a third party, or "injected" with malicious code.

Time delta - where a user interacts with a website or web application, and in particular where they click on-screen buttons, the time delta between clicks is an important way of ascertaining whether the interaction is genuine or is potentially being carried out by a device infected with malicious code. Sometimes an infected device will "click" more rapidly than a human being could or will click on the exact same pixel within a sequence of buttons which are presented.

Uniform Resource Locator (URL) - the formal term for a web address.

X-header request - the instruction sent by a device in order to "pull" a specific website or webpage to it and display the page so a user can browse it. In effect, the X-header request ID correlates the HTTP request between a user’s device and the website or web application’s server.

 

 

Appendix B – Example templates for security records

 

Assessment of New Platform or Systems Developments

 


Description of the proposed update/new protocol/development

 

 

Person(s) responsible for security assessment

 

 

 

Summary of the security assessment (e.g., methodology used to assess and test)

 

 

 

Pass or fail?

 

 

 

If “pass”, were there any dissenting views?

Please provide details

 

Person(s) who dissented

 

Reasons for dissent

 

Relevant OWASP category

 

 

 

 

 

 

 

 

 

 

If “fail” please provide details of the reasons for failure

 

Description of the identified issue/weakness/risk

 

Relevant OWASP category

 

 

 

 

 

 

 

Will the proposal be re- submitted?

 

 

 

 

If it will, what improvement actions are required?

 

Description of the action

 

Who is responsible for the action?

 

Date the action is assessed as complete

 

Who signed it off as complete?

 

 

 

 

 

 

 

 

 

 

 

 


 

Record of identified security incident

 

Description of identified breach or attempted attack

Breach or attempted attack?

Description

Relevant OWASP category

 

 

 

 

 

 

 

 

When and how was it identified?

Date

Time

How was it flagged?

Who was the SPoC?

 

 

 

 

Person(s) who performed the initial assessment

 

 

 

 

Summary of the incident and the SPoC’s assessment

 

 

 

 

Was the incident reported to?

MNOs?

Date and time

Person reporting

Summary of further/ongoing actions that resulted

 

 

 

 

 

PSA?

Date and time

Person reporting

Summary of further/ongoing actions that resulted

 

 

 

 

 

ICO?

Date and time

Person reporting

Summary of further/ongoing actions that resulted

 

 

 

 

What immediate actions were required?

Summary of action

Who is responsible for the action?

When was the action completed? (Date and time)

Who signed the action off as complete?

 

 

 

 

 

 

 

 

 

 

 

 

What remedial actions were required?

Summary of action

Who is responsible for the action?

When was the action completed? (Date and time)

Who signed the action off as complete?

 

 

 

 

 

 

 

 

 

 

 

 

 

(iii) Service-specific requirements

3.11.1

Society Lottery Services must not be used by anyone under the age of 16 years.

3.11.2

Promotions for Society Lottery Services must contain details of:

  1. the Society Lottery that benefits from the running of the service; and
  2. the intermediary provider and merchant provider responsible for the service.
3.11.3

For each and every valid entry, the consumer must be issued with a valid ticket of entry to the Society Lottery that sets out all ticketing information as required by law. 

3.12.1

Promotional material must clearly set out details of the operator or PRS provider’s qualifications and training which enable them to provide the Professional Advice Service.

3.12.2

Any oral or written communication relating to the review of an agreement for the provision of the Professional Advice Service constitutes promotion or provision of that service.

3.13.1
Any promotion must make clear that winning is not a certainty.
3.13.2

Prior to entry, the consumer must be clearly provided with:

  1. a clear description of how the service works and instructions on how to use it;
  2. information on any prizes available (including where relevant the amount of money that consumers stand to win), the number of prizes available, and any restrictions on the number of prizes that can be won;
  3. the full cost of participation, including but not limited to the cost of entry;
  4. the date and time after which the consumer can no longer enter or participate;
  5. how and when any winners will be contacted;
  6. how and when any prizes will be received or money won will be paid;
  7. how any prize winnings will be calculated; and
  8. where relevant, any criteria for judging entries.
3.13.3

All valid responses for entry into a competition or vote that are sent in by consumers within the timeframe set out in the promotional material must be entered and afforded sufficient time to be given full and equal consideration, except where such responses are received by the merchant provider (or a third party on its behalf) outside of the timeframe set out in the promotional material.

3.13.4

Consumers whose entries are valid must receive confirmation that they have been entered into the competition or vote.

3.13.5

Competition and voting entries that are received by the merchant provider (or a third party on its behalf) outside of the times outlined in the promotion must be considered invalid. The consumer must not be charged for an invalid entry or must be refunded where a charge has been incurred. Any consumer who has made such an entry must be, or must have already been, informed that such an entry is invalid and will neither be entered into the competition or vote, nor charged, or informed that they will be refunded where a charge has been incurred.

3.13.6

Where the method of entry is via a phone call, any call that has commenced during the specified time period for entries must be considered valid. This includes calls that have commenced during the specified time period for entries, but have not been completed prior to the closure time.

3.13.7

Where a TV or radio programme is repeated, the route of entry must only remain open if the entries received will still be considered valid.

3.13.8

Where a service contains multiple routes of entry, all routes of entry must be presented and displayed with equal prominence.

3.13.9

All valid entries must have the same chance of winning.

3.13.10

Consumers must not be subjected to any additional costs in order to claim prizes once draws have been made.

3.13.11

Where a PRS provider has made arrangements in relation to TV and radio competitions or votes for the handling of excess peak traffic by third parties, these arrangements must ensure that all valid votes or entries so handled are treated the same as those received by the provider.

3.13.12

There must be no amendments to the operational systems or procedures relating to the service without senior management authorisation. Any such operational systems or procedures must identify persons in senior management positions within the relevant organisation who have the power to authorise such changes. 

3.14.1

Promotional material must set out:

  1. that Remote Gambling Services are not to be used by anyone under the age of 18 years;
  2. warnings about underage use;
  3. how the service works and how to use it;
  4. any significant terms and conditions (with an accessible hyperlink to the full terms and conditions);
  5. the amount of money that consumers stand to win and how winnings will be calculated;
  6. a clear explanation of how winnings will be paid;
  7. information about responsible gambling, or accessible hyperlinks to such information.
3.14.2

Consumers must be able to access their playing history and account information at any time while using the service.

3.15.1

Promotional material must state that all calls will be recorded.

3.15.2

All calls must be recorded in full, with time-stamps and date-stamps to show each consumer’s entry into, usage of and exit from the service.

3.15.3

If recording ceases at any time and for any reason, calls must be disconnected.

3.15.4

Recordings of Live Entertainment Services must be retained for three years from the point at which the data is collected, in line with the PSA’s data retention requirements. Any such recordings must be provided to the PSA upon request, to the extent permitted by law.

3.16.1

Where services enable consumers to purchase virtual currency, it must be clear how this virtual currency may be used, as well as whether and when it expires.

3.16.2

Where services automatically ‘top up’ a consumer’s virtual currency account once all the currency has been spent (by automatically triggering a further PRS charge or charges on the consumer), this must be made clear to the consumer, prior to purchase.