We are the UK regulator for content, goods and services charged to a phone bill.

Code of Practice

On this page, you can view and search the 15th revision of the Code of Practice which comes into force on 5 April 2022. Please click here to learn more about the Code 15 roll out. If you prefer, you can also download a copy of the Code in PDF format using the buttons below.

3. Regulatory Standards and Requirements

(i) Consumers

Standard

Organisations and individuals involved in the provision of PRS must always act with integrity and must not, in respect of any part of their provision of PRS, act in a way that brings or is likely to bring the PRS market into disrepute.

Requirements
3.1.1

PRS providers must act honestly at all times in all their interactions with consumers and the PSA.

3.1.2

PRS providers and associated individuals must not bring the PRS market into disrepute by being involved, whether knowingly or recklessly, in arrangements which breach any of the provisions of this Code.

3.1.3

All network operators, intermediary providers and merchant providers must act with integrity by:

  1. ensuring that regulation of PRS is satisfactorily maintained by:
    1. taking all reasonable steps in the context of their roles, including through the adoption and maintenance of internal arrangements, to ensure that the Standards and Requirements set out in Section 3 of this Code are complied with in respect of all PRS with which they are concerned;
    2. carrying out their own obligations under the Code promptly and effectively;
    3. taking all reasonable steps to prevent the evasion and/or undermining of PRS regulation; and
    4. taking all reasonable steps to ensure that consumer complaints are resolved quickly and fairly, and that any redress is provided quickly and easily.
  2. having regard to the funding provisions which are set out in Section 7 below and complying with any such provisions where so required.
3.1.4

PRS providers must not engage or otherwise permit the involvement in the provision of PRS of a PRS provider and/or associated individual in respect of whom a sanction has been imposed under paragraphs 5.8.5(f)–(h) below or any previous version of those provisions, so as to enable that person to operate in breach of that sanction.

Standard

Consumers must receive clear, complete and timely information so as to enable them to make fully informed decisions when purchasing phone-paid services.

Requirements
Promotion
3.2.1

During any written, spoken or other form of promotion of a PRS, the cost of the service must be provided before any purchase is made. The cost of the PRS must be prominent, clear, legible, visible and proximate to the phone number, shortcode, button or other means by which a charge may be triggered.

3.2.2

Before making their purchase or incurring any charges, consumers must be fully and clearly informed of all information that would reasonably be likely to influence their decision to purchase, including:

  1. a clear description of what the service is and/or does;
  2. the cost and, where applicable, the frequency of charging;
  3. that the charge will be added to the consumer’s phone account (mobile or otherwise);
  4. the provider’s name (or brand if part of the name);
  5. the name of the service as registered with the PSA;
  6. the name and contact details of the provider responsible for customer care and complaints handling (either the intermediary provider or merchant provider); and
  7. any other key information including a full and clear description of any prizes or awards (where relevant).
3.2.3

All written information provided in accordance with paragraph 3.2.2 above must be accessible, legible and clearly presented.

3.2.4

Where the information provided in accordance with paragraph 3.2.2 above is spoken rather than written, it must be audible, clear and spoken at a pace that enables the consumer to understand fully all the information provided.

3.2.5

Merchant providers are responsible for ensuring that any third party contracted to carry out promotional activity on their behalf complies with all Standards and Requirements set out in this section of the Code that apply to such activity.

3.2.6

Where a PRS promotes or is promoted by a non-premium rate electronic communications service, both services will be considered as one where, in the opinion of the PSA, it is reasonable to do so. 

Point of purchase
3.2.7

The point of purchase must be kept separate and distinct from any promotional materials such that consumers are aware, upon reaching the point of purchase, that they have entered a purchasing environment.

3.2.8

At the point of purchase, the merchant provider must ensure that:

  1. the point of purchase is clearly signposted by distinguishing it from other aspects of the service (such as by design and colour scheme);
  2. the consumer is clearly notified that opting to receive the service creates an obligation to pay and the consumer explicitly acknowledges that obligation;
  3. the consumer is made aware of the cost of the service and the frequency of charges (if recurring) in a clear and prominent manner, and such information must be provided directly before the consumer commits to making a purchase; and
  4. the consumer is clearly notified that the PRS charge will be added to the consumer’s phone account and charged on the basis described.
Use of service
3.2.9

If a call is recorded or monitored, then this must be stated explicitly and immediately upon connection of the consumer to the service.

3.2.10

Where a voice service connects the consumer to another organisation, the cost of continuing the call, including information about access charges, must be clearly stated before onward connection.

3.2.11

Any messages that the consumer needs to access in order to use or engage with a PRS but which are provided separately from the service itself, must be provided at no additional cost to the consumer.

Receipting - mobile network consumers
3.2.12

The merchant provider must ensure that following a consumer’s initial sign-up to the service, and after each subsequent transaction (where the service is recurring), the consumer promptly receives a receipt, at no additional cost to the consumer.

3.2.13

The receipt must be:

  1. an SMS sent to the consumer’s mobile handset, to the number against which the charge has been applied; or
  2. an email sent to the email address that the consumer has provided as part of the sign-up to the service (where applicable).

In either case, the receipt must be provided in a format which can easily be retained and reviewed by the consumer offline.

3.2.14

The receipt must set out:

  1. the name of the service as registered with the PSA;
  2. the name and contact details of the intermediary provider or merchant provider responsible for customer care and complaints;
  3. details of the amount that has been charged;
  4. if the consumer has signed up to a subscription service, details of the frequency of charging, or if there is no defined billing period the basis upon which the frequency of charging is established; and
  5. clear instructions on how to exit the service.
3.2.15

The requirements set out at paragraphs 3.2.12–3.2.14 above do not apply to voice services.

Method of exit
3.2.16
There must be simple methods of permanent exit from the PRS. These must include (without limitation) the same method used by a consumer to sign up to or access the service, except where it is not technically possible to use that same method as a method of exit or the consumer sign up to or access to the service required the use of multi-factor authentication in accordance with paragraph 3.3.7 below. 
3.2.17

All methods of exit must enable a consumer to leave the PRS immediately. There must be no further charges to the consumer after exit, except where those charges have been legitimately incurred prior to exit.

Other transparency Requirements
3.2.18

Additional transparency Requirements in relation to services that require age verification are set out at paragraphs 3.5.8–3.5.11 below.

Standard

Consumers must be treated fairly throughout their experience of PRS, including by being charged for PRS only where they have provided informed and explicit consent to such charges.

Requirements
Treating consumers fairly
3.3.1

PRS providers must treat all consumers of PRS fairly and equitably.

3.3.2

PRS providers and their services must not mislead or be likely to mislead consumers in any way.

3.3.3

PRS providers must not use any marketing technique, language or imagery which misleads or has potential to mislead the consumer into believing the service on offer is associated with or provided by another PRS provider or any other public or commercial organisation when it is not.

3.3.4

PRS must be provided without undue delay after the consumer has done what is necessary to connect with the service. Once the consumer has been connected to the service, the service must not be unreasonably prolonged.

3.3.5

Merchant providers must take reasonable and prompt steps to identify excessive use of their service or services by any consumer and to inform the relevant consumer of that usage.

Point of purchase
3.3.6

Consumers must not be charged for PRS without their informed and explicit consent. Merchant providers must be able to provide evidence, where required by the PSA, which establishes that consent.

3.3.7

Multi-factor authentication must be used by merchant providers to establish and demonstrate informed and explicit consumer consent to charges in the following circumstances:

  1. where the service is accessed fully or in part via an online gateway;
  2. where the service is a subscription service, including services involving a recurring donation;
  3. where the service is a Society Lottery Service.
Multi-factor authentication stage one Requirements
3.3.8

In any of the circumstances described at paragraph 3.3.7 above, merchant providers must ensure that the first stage of obtaining consumer consent to any charge, is carried out via one of the following methods of consumer interaction:

  1. use of a password-controlled account, in respect of which the password is selected and controlled by the consumer. The account information fields must not auto-populate or self-generate and must require the consumer to enter at least two of the following details:
    1. their email address as verified by the merchant provider;
    2. a username that they have selected and control;
    3. their name; and/or
    4. a password that they have selected and control.
  2. use of a secure PIN loop system, which must be initiated and confirmed by the intermediary provider through interaction with the consumer. The secure PIN must:
    1. comprise no less than four truly random integers;
    2. be entered by the consumer (and must not auto-populate or self-generate);
    3. expire if, after three attempts, the consumer has not entered the PIN correctly; and
    4. expire within 15 minutes of the PIN being received to the consumer's handset.
  3. use of a secure on-screen PIN which must be initiated and controlled by the intermediary provider or network operator. The secure on-screen PIN must:
    1. not be displayed in a form that is easily readable by a client machine (for example, it should be presented as an image rather than in HTML text);
    2. comprise no less than four truly random integers;
    3. be entered by the consumer (and must not auto-populate or self-generate); and
    4. expire if, after three attempts, the consumer has not entered the PIN correctly.
  4. use of a secure, consumer-controlled mobile originating short message service (MO SMS) system by means of which consumers are required to notify their mobile network operator and intermediary provider(s) of their consent to any charges;
  5. for recurring donation services only, through a phone-call between a person acting on behalf of the charity and a consumer, in which audible consent to the relevant recurring charge is obtained from the consumer. The telephone conversation must be recorded in full; or
  6. for recurring donation services only, through face-to-face engagement with a consumer as part of which the consumer is required to enter at least two details into a secure online environment for the purpose of providing consent to the relevant recurring charge, such as:
    1. their email address as verified by the merchant provider;
    2. their mobile phone number; and/or
    3. their name.
Multi-factor authentication stage two Requirements
3.3.9

In addition to the first stage Requirement set out at paragraph 3.3.8 above, merchant providers must carry out the second stage of obtaining consumer consent via one of the following means of consumer interaction:

  1. use of a confirmation button to confirm the purchase;
  2. use of biometric technology, such as fingerprint or facial recognition; or
  3. use of a secure, consumer-controlled MO SMS system by means of which consumers are required to notify their mobile network operator and intermediary provider(s) of their consent to any charges.
3.3.10

For recurring donation services only, where the consumer has donated on a one-off basis and through a confirmation message is provided with the opportunity to convert their one-off donation to a recurring donation, the message must specifically seek the consumer’s consent to the recurring charge. Such consent must be given by way of an MO SMS as set out in paragraph 3.3.9(c) above.

3.3.11

Where a recurring donation service enables donors to skip a monthly payment: 

  1.  the instruction command SKIP must be required to be used by donors to suspend payment of their monthly donation; and
  2. a monthly reminder containing the SKIP instruction at paragraph 3.3.11(a) above must be sent 24 hours prior to when the consumer is due to be charged.
3.3.12

For subscription services, except recurring donation services, the following Requirements as relevant will apply:

  1.  where a consumer enters into a subscription service that lasts for a defined period (‘term-based subscription’) a reminder must be sent to the consumer at least seven days, and no more than 30 days, before the end of the subscription period. The reminder must state what service or product the consumer has subscribed to and state that the subscription will renew automatically unless the consumer opts out before the end of the subscription period. 
  2. where a consumer enters into a subscription service that continues for an indefinite period a reminder must be sent to the consumer within the 14 days preceding each anniversary of the date the consumer entered into the subscription service. The reminder must state what service or product the consumer has subscribed to and state that the subscription will continue until such point the consumer opts out. 
3.3.13
Where a network operator or intermediary provider contracts with a third party to undertake verification of consumer consent to charges as part of their compliance with the provisions above requiring the establishment of such consent, the third party must be independent of the merchant provider.
Evidence of consumer consent to charges
3.3.14

In order to demonstrate consumer consent to charges for a PRS provided fully or partly through an online gateway, the intermediary provider and merchant provider must retain records in compliance with any relevant time periods specified in the data retention notice under paragraph 6.2.20 below. In particular, such records must always clearly set out: 

  1. the dates, times and web addresses that relate to the purchase;
  2. details of the consumer’s device and mobile network;
  3. evidence of at least two positive, recorded and auditable responses from the consumer; and
  4. the information displayed to the consumer immediately prior to initiating the purchase

Calls to voice-based services

3.3.15

For any calls to voice-based services, intermediary providers and merchant providers must retain records which clearly set out:

  1. the phone number from which the consumer has called (where the consumer’s phone number has not been withheld);
  2. the phone number that the consumer has called; and
  3. the date and time of the phone call.
3.3.16

For phone calls to voice shortcodes, the originating network operator’s record of the consumer’s initiation of the call will be sufficient evidence of consent.

Text message-based services

3.3.17

Intermediary providers and merchant providers must retain records which clearly set out:

  1. the date and time that the consumer sent the relevant text message;
  2. the consumer’s mobile phone number;
  3. the mobile shortcode to which the text was sent;
  4. the date and time when that text was received to the shortcode; and
  5. any messages sent to the consumer in reply.

Standard

Consumers must receive excellent and timely customer care including the resolution of their complaints.

Requirements
3.4.1
Intermediary providers and merchant providers must ensure that consumer enquiries and complaints that they have primary responsibility for handling are responded to and resolved promptly, easily and fairly, at no more than basic rate cost to the consumer. Where an intermediary provider or merchant provider does not have primary responsibility it must promptly refer complaints it receives to the PRS provider that has primary responsibility. For the purposes of this paragraph and paragraphs 3.4.4 and 3.4.5 below, where there are no arrangements between PRS providers in the value chain as to who has primary responsibility, such responsibility will fall on the merchant provider.
3.4.2

Intermediary providers and merchant providers’ customer care facilities must be available to consumers as a minimum during the normal business hours of 9am to 5pm, Monday to Friday (excluding public holidays).

3.4.3

Intermediary providers and merchant providers must keep consumers informed about the status of any complaint and/or associated refund request.

3.4.4

The PRS provider in the value chain with primary responsibility for customer care, whether this is the network operator, intermediary provider or merchant provider, must respond to consumers who contact them promptly and in any event within five working days.

3.4.5

The PRS provider in the value chain with primary responsibility for customer care, whether this is the network operator, intermediary provider or merchant provider, must use all reasonable efforts to resolve all PRS related issues raised by a consumer promptly and in any event within 30 working days of the initial consumer contact.

3.4.6

Intermediary providers and merchant providers must retain, and make available to consumers upon request, all information that is necessary to assist consumers fully in the resolution of their enquiries and complaints.

3.4.7

Intermediary providers and merchant providers must inform consumers who are dissatisfied with the customer care they receive or with the handling of their enquiry or complaint that they may complain to the PSA, and must provide the consumer with the PSA’s contact details accordingly.

3.4.8

Intermediary providers and merchant providers must, upon request, provide the PSA with all information that allows examination of how they have handled any customer care or consumer enquiry or complaint.

3.4.9

Network operators and intermediary providers that interact with consumers in relation to a PRS must provide clear information to them about how to contact the merchant provider, including the merchant provider’s:

  1. name as registered with the PSA and details of the service the consumer has been charged for where such details can be reasonably obtained; and 
  2. contact details and hours of operation (including customer care details and website).
3.4.10

Intermediary providers and merchant providers must have clear and publicly available customer care, complaints handling and refund policies in place.

3.4.11

In handling consumer complaints, PRS providers must consider the particular needs of consumers who are or may be vulnerable and may be likely to suffer harm or detriment as a result. PRS providers must have regard to the Standard outlined at paragraph 3.5 below which also applies in the context of consumer complaints.

Refunds
3.4.12
Where refunds are provided to consumers, they must be provided promptly and using a method that is easily accessible for each consumer.
3.4.13

Merchant providers (or intermediary providers where they are providing refunds instead or on behalf of merchant providers) must ensure that a decision as to whether or not a consumer is owed a refund is made promptly. The basis for the decision must be clearly communicated to the consumer.

3.4.14

Merchant providers (and intermediary providers where relevant) must ensure that, once agreed, all refunds are processed within 14 working days.

3.4.15

Where a refund is due, the merchant provider must take responsibility for providing it in the first instance. Where the merchant provider is unable to meet all refund requests it may enter into arrangements with an intermediary provider or network operator to provide refunds instead or on its behalf. Where this is the case the intermediary provider or network operator must provide the refunds promptly and using a method that is easily accessible for each consumer.

3.4.16

Merchant providers must ensure that consumers who pursue a complaint and/or seek a refund are not required to expend undue time, effort or money in doing so.

Standard

Services must be promoted and provided in a way that ensures they are not likely to cause harm or detriment to consumers who are or may be vulnerable as a result of their particular circumstances, characteristics or needs.

Requirements
3.5.1

Intermediary providers and merchant providers must nominate a person or persons within their organisation that will have overall responsibility for ensuring that the organisation, and the PRS that it promotes and provides, takes account of the needs of vulnerable consumers.

3.5.2

Intermediary providers and merchant providers must, on request, provide the PSA with copies of their written policies and procedures concerning vulnerable consumers. Such policies and procedures must include the identification of risks to such consumers and the controls in place to mitigate those risks, as well as procedures to ensure the fair and proper treatment of such consumers. The policies and procedures must also set out clearly the mechanism for internal approval and review, as well as ongoing monitoring of their effectiveness.  Intermediary providers and merchant providers must be able to demonstrate to the satisfaction of the PSA how these policies and procedures are being used effectively in the promotion and delivery of PRS.

3.5.3

Network operators, intermediary providers and merchant providers must have regard to paragraph 3.4.11 above on complaints handling. In doing so, they must ensure that their policies and procedures are robust and take account of the needs of all consumers, including those who are or may be vulnerable.

3.5.4

Merchant providers must ensure that appropriate age verification measures are in place if so required under paragraph 3.5.8 below.

Provisions that apply specifically to children
3.5.5

Where a service is aimed at or likely to appeal to children, any promotion associated with that service must state that the bill-payer’s permission is required and also state any age requirements for use of the service.

3.5.6

Services that are aimed at or are likely to appeal to children must not offer cash prizes or prizes that can be easily converted to cash.

3.5.7

PRS must not take advantage of children’s potential credulity, lack of experience or sense of loyalty.

Age verification requirements
3.5.8

The following age verification requirements will apply to Adult Services, Remote Gambling Services, Consumer Credit Services, Sexual Entertainment Services and Live Entertainment Services.

3.5.9

As part of the promotion of the service and at the beginning of the consumer’s interaction with the service before any charges are incurred, it must be made clear that:

  1. the service must not be used by anyone under the age of 18 years;
  2. the consumer must be the bill-payer or have the permission of the bill-payer in order to use the service; and
  3. service details may appear on the bill.
3.5.10

Services that require age verification must not be:

  1. accessible from within other services that do not require age verification; or
  2. promoted within promotional material for other services that do not require age verification.
3.5.11

Where it is discovered that a consumer using a service that requires age verification is below the required age, any charges incurred must be refunded and the consumer must be blocked from using the service.

Standard

Consumer privacy must be respected and protected.

Requirements
3.6.1

Network operators, intermediary providers and merchant providers must comply with all applicable privacy and data protection laws.

3.6.2

Unless otherwise permitted by law, consumers must not be contacted without their consent. Whenever a consumer is contacted, and on each such occasion, the consumer must be given an opportunity to withdraw their consent to being contacted. If consent is withdrawn, the consumer must not be contacted thereafter. Where contact with consumers is made as a result of information collected from a PRS, the merchant provider of that service must be able to provide to the PSA, on request, evidence which establishes each consumer’s consent to being contacted.

3.6.3
Network operators, intermediary providers and merchant providers must ensure that consumers’ personal data are not collected or passed on to any other person without their consent (as defined by law), unless under a legal obligation to do so or it is necessary for, or in connection with, legal proceedings.

Standard

Promotions and services must be provided in a manner that does not cause harm or unreasonable offence or distress to consumers or to the general public.

Requirements
3.7.1

PRS must not promote, incite, or be likely to promote or incite, hatred in respect of any individual or identifiable group, including by age, disability, sex, gender identity or reassignment, race, religion or belief, or sexual orientation.

3.7.2

PRS must not encourage or be likely to encourage consumers to put themselves or others at risk. Such risks may include financial, personal and/or health-related risks.

3.7.3

PRS must not induce or be likely to induce an unreasonable sense of fear, anxiety, distress or offence in consumers or among the general public.

(ii) Organisations

Standard

Organisations and individuals involved in providing PRS must provide the PSA with timely, accurate and detailed information about themselves and the services they offer or intend to offer.

Requirements
Organisation information
3.8.1

Before a PRS is made accessible to consumers, all network operators, intermediary providers and merchant providers in the relevant PRS value chain must register with the PSA, subject only to paragraph 3.8.9 below.

3.8.2

Registration requires PRS providers to provide such information about themselves and their services as the PSA may require for the purpose of effective and efficient regulation. PRS providers will be required to provide such information through the PSA Register. The PSA will publish details of the information it requires for registration, which will be updated as the PSA considers appropriate from time to time.

3.8.3

In order to register with the PSA, all network operators, intermediary providers and merchant providers must provide the name and contact details of the individual(s) within the organisation, or within any contracted third party, with overall responsibility and accountability for each of the following:

  1. DDRAC policies and procedures, and the oversight of their implementation;
  2. platform security and compliance with the technical standards set out at Annex 3, as updated from time to time (except where voice-based services are being provided);
  3. policies and procedures concerning vulnerable or at-risk consumers, and the oversight of their implementation; and
  4. overall regulatory compliance in respect of PRS.

Merchant providers are not required to provide details in respect of paragraphs 3.8.3(a) and 3.8.3(b) above unless they are also performing the role of an intermediary provider.

3.8.4

The following further Requirements in respect of registration will apply to merchant providers (unless an exemption under paragraph 3.8.9, or a relevant permission under paragraph 2.6.2, applies):

  1. Merchant providers must, before making a service accessible to consumers, provide to the PSA all information (including any relevant numbers and access or other codes) that the PSA requires for the purpose of enabling consumers to identify easily the services they may have used and/or for which they have been charged. The PSA will publish details of the information it requires under this sub-paragraph, which will be updated as the PSA considers appropriate from time to time.
  2. Merchant providers must provide the identity of any other PRS providers involved in the provision of the service, as well as information about any other person contracted for the promotion and/or delivery of the service.
  3. The PSA will include the details provided in accordance with paragraphs 3.8.4(a) and 3.8.4(b) above on the PSA Register. Those details will also be made freely available to consumers through the PSA’s website.
  4. Whenever any of the information provided under paragraphs 3.8.4(a)–(b) changes, the updated information must be provided to the PSA promptly and in any event within five working days of the change.
3.8.5
Network operators and intermediary providers must each ensure that all PRS and associated access numbers are registered with the PSA (unless an exemption under paragraph 3.8.9, or a relevant permission under paragraph 2.6.2, applies) before enabling a service to become accessible to consumers.
3.8.6

PRS providers must keep all information provided to the PSA as part of registration up to date. The PSA must be notified of any changes to such information promptly and in any event within five working days of the change.

3.8.7

Registration must be renewed annually or at another reasonable interval as determined by the PSA from time to time.

3.8.8

The PSA will impose a reasonable charge for registration and registration renewal. The PSA will set the amount of the charge giving reasonable notice to PRS providers and other interested persons. Unless an exemption applies by virtue of paragraph 3.8.9 below the charge must be paid prior to any PRS provider being deemed by the PSA to be registered.

3.8.9

The PSA may make exemptions from the duty to register, in particular by identifying specific categories of PRS providers and/or services to which the duty to register will not apply and/or any circumstances in which that duty or the requirement to pay a registration charge under paragraph 3.8.8 above will not apply (an exemption).

3.8.10

PRS providers that fall within an exemption are not required to register with the PSA and/or pay a registration charge in relation to any PRS to which the exemption applies.

3.8.11

The PSA will publish a full list of exemptions made under paragraph 3.8.9 above on its website. The list of exemptions may be updated from time to time.

3.8.12

All breaches of this Code or any previous editions of the Code by a PRS provider, and any sanctions imposed as a result, will be linked to that provider’s registered details in the PSA Register, together with any relevant information arising from any determinations concerning associated individuals and/or any other relevant information which is publicly available, for such time as the PSA considers appropriate.

3.8.13

Certain categories of information held by the PSA on its register will be accessible at any time by registered PRS providers, other regulators or any law enforcement agency with a legitimate interest.

3.8.14

A registered PRS provider which is no longer providing any PRS or which only provides PRS that fall within an exemption may de-register at any time. Where a relevant PRS provider is de-registered, their details will continue to be held by the PSA on the PSA Register for a reasonable period, subject to any applicable law.

3.8.15

Any failure to comply with any requirement of paragraph 3.8 will constitute a breach of the Code.

Standard

Organisations and individuals must perform effective due diligence on any person or organisation with whom they contract in relation to PRS, and must conduct a full and thorough assessment of potential risks arising from the provision, content, promotion, and marketing of PRS on an ongoing basis.

Requirements
3.9.1

Network operators and intermediary providers must undertake thorough due diligence on any person with whom they contract in connection with the provision of PRS prior to entering into any contract and/or rendering any service accessible to consumers.

3.9.2

Network operators, intermediary providers and merchant providers must continually assess the potential risks posed by any person with whom they contract in respect of the provision, content, promotion, and marketing of PRS. Network operators, intermediary providers and merchant providers must take and maintain effective and ongoing steps to control and mitigate any risks identified.

3.9.3

Network operators and intermediary providers must comply with the additional due diligence Requirements set out at Annex 2. The PSA may update these additional due diligence Requirements from time to time following comment and approval by Ofcom, and following reasonable consultation where the PSA considers it to be appropriate. The PSA will provide notice of any such updates by publishing them on its website no less than 30 days before any updated DDRAC Requirements come into force.

3.9.4

PRS providers must only enter into contracts relating to PRS with other PRS providers that are registered with the PSA, except where an exemption from registration applies under paragraph 3.8.9 above.

3.9.5

Where an intermediary provider is seeking to facilitate provision of a PRS that was previously operating through a different intermediary provider, they must comply with all DDRAC Requirements in respect of the relevant merchant provider and/or service. This includes (but is not limited to) verifying any data that has been migrated to them from the previous intermediary provider. Reliance on any information obtained in the course of any previous DDRAC undertaken in respect of the merchant provider will not be sufficient to meet the Requirement of this paragraph.

3.9.6

Network operators and intermediary providers must have written DDRAC policies and procedures in place. Any such policies and procedures must be approved by the director or equivalent person within the relevant organisation who has overall responsibility for DDRAC compliance in respect of each value chain and PRS.

3.9.7

All DDRAC undertaken by network operators and intermediary providers in relation to each person with whom they contract must be reviewed and signed off by a director or the equivalent person with responsibility for DDRAC within the relevant organisation.

3.9.8

Network operators must have contracts in place that allow them in appropriate circumstances to suspend or terminate their relationships with intermediary providers where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.

3.9.9
Intermediary providers must have contracts in place that allow them to suspend or terminate their relationships with merchant providers or third-party content verification providers where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.9.10

Network operators and intermediary providers must make provision, in each contract they enter into in respect of PRS, which requires the other party to the contract to provide information gathered in the course of conducting DDRAC to the relevant network operator or intermediary provider and/or to the PSA on request, including information related to any third parties, to the extent permitted by law.

3.9.11

Network operators and intermediary providers must take reasonable steps to satisfy themselves that any contracting party involved in the provision of a PRS meets the DDRAC Standard and Requirements in respect of any other person in the value chain with whom that party contracts.

3.9.12

Network operators and intermediary providers must ensure that any persons with whom they contract include DDRAC obligations in their own contracts with any other persons in the PRS value chain who are involved in the provision of the service. Such DDRAC obligations must enable information gathered in the course of conducting DDRAC to be shared across the value chain and with the PSA upon request, to the extent permitted by law.

3.9.13

Where a network operator contracts with a PRS provider which is acting in the capacity of both an intermediary provider and a merchant provider, the network operator is responsible for undertaking DDRAC in respect of that provider and its services.

3.9.14

Network operators, intermediary providers and merchant providers must use the information obtained through their DDRAC processes to inform their ongoing risk assessment and control in respect of each person with whom they contract and any associated services, having regard to any guidance issued by the PSA from time to time.

3.9.15
Network operators, intermediary providers and merchant providers must make available to the PSA upon request all documentation in relation to DDRAC within a reasonable time period specified by the PSA, to the extent permitted by law. 

Standard

All systems, including payment and consent verification platforms, used for the provision of and exit from PRS must be technically robust and secure.

Requirements
3.10.1

All network operators and intermediary providers must appoint one or more suitably qualified or experienced person(s) with overall responsibility for security and fraud in respect of PRS.

3.10.2

All intermediary providers must have a single point of contact (SPoC) who acts as the point of contact for the PSA regarding systems issues and security. The SPoC should be registered as such with the PSA and should be a suitably qualified or experienced person with technical expertise in systems issues and security.

3.10.3

All intermediary providers (except where they are providing voice-based services) must comply with the technical standards set out at Annex 3. The PSA may update these technical standards from time to time (in line with technological advances) following comment and approval by Ofcom, and following reasonable consultation where the PSA considers it to be appropriate. The PSA will provide notice of any such updates by publishing them on its website no less than 30 days before any updated technical standards come into force.

3.10.4

All intermediary providers (except where they are providing voice-based services) must have their platform security-tested on an annual basis by a third party which appears on the NCSC Approved List. Results of any such security test must be submitted to any network operator(s) with which the relevant intermediary provider has a contractual relationship.

3.10.5

All intermediary providers must act upon any security alerts or flags, whether received from their own monitoring or from information shared by others, in a timely manner.

3.10.6

Network operators must ensure that any platform security test results submitted to them in accordance with paragraph 3.10.5 are assessed by suitably qualified or experienced staff with the requisite technical expertise to analyse the results and make appropriate recommendations.

3.10.7

Network operators and intermediary providers must provide the results of all intermediary provider platform security tests to the PSA in accordance with any request made pursuant to Section 4 or any direction for information made under paragraph 6.1 of this Code.

3.10.8

Network operators must have contracts in place that allow them in appropriate circumstances to suspend or terminate their relationships with intermediary providers:

  1. on the basis of a technical or security threat or issue; and/or
  2. where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.10.9

Intermediary providers must have contracts in place that allow them to suspend or terminate a payment facility to any merchant provider or third-party content verification platform:

  1. on the basis of a technical or security threat or issue; and/or
  2. where they discover the existence of activities that do not comply with one or more provisions of this Code, or where they reasonably suspect that any such non-compliant activities have occurred or are occurring.
3.10.10

Any evidence created and stored in relation to the Requirements for obtaining consent to charge set out at paragraphs 3.3.6–3.3.17 above must be independently auditable and provided to the PSA upon request.

3.10.11

Where a PRS provider engages any third party to undertake activities to obtain or verify consumer consent to charges on its behalf, it must require that third party by contract to supply the PSA with any relevant data or information upon request, to the extent permitted by law.

3.10.12

Network operators must have in place contracts with intermediary providers which allow for the randomised testing of platforms, including third-party platforms, at any time. Network operators must retain the right to refuse to accept verifications by any third-party platform at their discretion.

3.10.13

All network operators and intermediary providers must implement a coordinated vulnerability disclosure scheme and act upon any issues reported.

(iii) Service-specific requirements

3.11.1

Society Lottery Services must not be used by anyone under the age of 16 years.

3.11.2

Promotions for Society Lottery Services must contain details of:

  1. the Society Lottery that benefits from the running of the service; and
  2. the intermediary provider and merchant provider responsible for the service.
3.11.3

For each and every valid entry, the consumer must be issued with a valid ticket of entry to the Society Lottery that sets out all ticketing information as required by law. 

3.12.1

Promotional material must clearly set out details of the operator or PRS provider’s qualifications and training which enable them to provide the Professional Advice Service.

3.12.2

Any oral or written communication relating to the review of an agreement for the provision of the Professional Advice Service constitutes promotion or provision of that service.

3.13.1
Any promotion must make clear that winning is not a certainty.
3.13.2

Prior to entry, the consumer must be clearly provided with:

  1. a clear description of how the service works and instructions on how to use it;
  2. information on the prizes available (including where relevant the amount of money that consumers stand to win), the number of prizes available, and any restrictions on the number of prizes that can be won;
  3. the full cost of participation, including but not limited to the cost of entry;
  4. the date and time after which the consumer can no longer enter or participate;
  5. how and when winners will be contacted;
  6. how and when prizes will be received or money won will be paid;
  7. how prize winnings will be calculated; and
  8. where relevant, any criteria for judging entries.
3.13.3

All valid responses for entry into a competition within a TV or radio programme that are sent in by consumers within the timeframe set out in the promotional material must be entered into the competition and given equal consideration.

3.13.4

Consumers whose entries are valid must receive confirmation that they have been entered into the competition.

3.13.5

Competition entries that are sent outside of the times outlined in the promotion must be considered invalid. Any consumer who sends such an entry must be informed that their entry is invalid and that they have not been entered into the competition. The consumer must also be informed whether or not they have been charged.

3.13.6

Where the method of entry is via a phone call, any call that has commenced during the specified time period for entries must be considered valid. This includes calls that have commenced during the specified time period for entries, but have not been completed prior to the closure time.

3.13.7

Where a TV or radio programme is repeated, the route of entry must only remain open if the entries received will still be considered valid.

3.13.8

Where a service contains multiple routes of entry, all routes of entry must be presented and displayed with equal prominence.

3.13.9

All valid entries must have the same chance of winning.

3.13.10

Consumers must not be subjected to any additional costs in order to claim prizes once draws have been made.

TV and radio broadcast voting
3.13.11

All valid votes or entries sent by the audience must be available in sufficient time to be fully considered and reflected in the outcome of an event. In circumstances where the consumer has been clearly informed of the time period in which votes or entries will be valid, any votes or entries received outside this time will be considered invalid and will not need to be considered or reflected in the outcome of an event.

3.13.12

All valid votes or entries received before lines have been announced as open, or after an announcement that lines are closed, must be considered invalid and must not be counted.

3.13.13

Calls that have already commenced at the time of a closure announcement must be completed, considered valid and counted. Invalid votes or entries may only be charged where:

  1. the risk of being charged for invalid votes or entries has been clearly communicated to the audience; 
  2. consumers whose votes or entries are invalid are clearly informed that their vote or entry is invalid and whether a charge has been applied; and
  3. the receipt of invalid votes or entries after lines have been announced as closed is not due to technical failure 
3.13.14

Where a PRS provider has made arrangements for the handling of excess peak traffic by third parties, these arrangements must ensure that all valid votes or entries so handled are treated the same as those received by the provider.

3.13.15

Phone lines must not remain open when programmes are repeated, except where votes or entries will still be considered valid.

3.13.16

There must be no amendments to the operational systems or procedures relating to the service without senior management authorisation. Any such operational systems or procedures must identify persons in senior management positions within the relevant organisation who have the power to authorise such changes. 

3.14.1

Promotional material must set out:

  1. that Remote Gambling Services are not to be used by anyone under the age of 18 years;
  2. warnings about underage use;
  3. how the service works and how to use it;
  4. any significant terms and conditions (with an accessible hyperlink to the full terms and conditions);
  5. the amount of money that consumers stand to win and how winnings will be calculated;
  6. a clear explanation of how winnings will be paid;
  7. information about responsible gambling, or accessible hyperlinks to such information.
3.14.2

Consumers must be able to access their playing history and account information at any time while using the service.

3.15.1

Promotional material must state that all calls will be recorded.

3.15.2

All calls must be recorded in full, with time-stamps and date-stamps to show each consumer’s entry into, usage of and exit from the service.

3.15.3

If recording ceases at any time and for any reason, calls must be disconnected.

3.15.4

Recordings of Live Entertainment Services must be retained for three years from the point at which the data is collected, in line with the PSA’s data retention requirements. Any such recordings must be provided to the PSA upon request, to the extent permitted by law.

3.16.1

Where services enable consumers to purchase virtual currency, it must be clear how this virtual currency may be used, as well as whether and when it expires.

3.16.2

Where services automatically ‘top up’ a consumer’s virtual currency account once all the currency has been spent (by automatically triggering a further PRS charge or charges on the consumer), this must be made clear to the consumer, prior to purchase.