Code of Practice
The rules set out in this Annex apply to all PRS providers involved, or intending to be involved, in the provision of the relevant service types set out at paragraph 1.3 below.
Failure to comply with the actions specified in relation to any service type will amount to a breach of the Code in accordance with paragraph 6.2.14 of the Code.
The rules set out in this Annex apply to the following service types:
- Sexual Entertainment Services
- Live Entertainment Services
- Chatline Services
- Professional Advice Services
- Virtual Chat Services
- Counselling Services
- Children’s Services
When a service charge of £15 (inclusive of VAT) has been spent on the call, callers must be notified that such a charge has been incurred.
When a service charge of £30 (inclusive of VAT) has been spent on the call, the call must be terminated immediately unless the consumer positively confirms a wish to continue to use the service.
When a service charge of £40 (inclusive of VAT) has been spent on the call, the call must be terminated immediately.
All Virtual Chat Services must, as soon as is reasonably possible after the consumer has spent £10 (inclusive of VAT), and after every £10 (inclusive of VAT) of spend thereafter:
- inform the consumer separately from the service or any promotion that £10 (inclusive of VAT) has been spent; and
- terminate the service promptly if the consumer does not interact further with it following the provision of the message sent in accordance with (a) above.
Counselling Services offered on a one-off basis must terminate after 20 minutes.
Where a pre-arranged number of counselling sessions is offered, each call must terminate after 60 minutes.
Children’s Services must not charge more than £5 (inclusive of VAT) per call in a single transaction or per month for a subscription.
Children’s Services must not charge more than £20 (inclusive of VAT) over a single monthly billing period.
The due diligence information required to be collected under this Annex is for the purpose of aiding compliance with paragraphs 3.9.1 and 3.9.2 of the Code. In addition to all other relevant DDRAC Requirements set out under paragraph 3.9 of the Code, PRS providers must collect the information set out under paragraph 2.3 below. PRS providers must collect such information in compliance with any applicable data retention notice issued by the PSA from time to time in accordance with paragraph 6.2.20 of the Code.
The information listed under paragraph 2.3 below must be reviewed on an annual basis and updated promptly where any such information has changed. Where any such information is updated the previous version of the information should be stored for reference as to the information held by the PRS provider at any particular point in time.
The information to be collected and reviewed under paragraphs 2.1 and 2.2 above are as follows:
- confirmation that the intermediary and/or merchant provider(s) have an accurately completed and up-to-date registration with the PSA.
- evidence that the intermediary provider and/or merchant provider is aware of the regulatory requirements applicable to them, and evidence of any steps taken to ensure compliance; for example, records of any engagement with the PSA.
- a copy of the intermediary provider’s and/or merchant provider’s PSA registration number.
- the intermediary provider’s and/or merchant provider’s compliance history with the PSA, including consideration of how long they have been operating in the UK PRS market.
- the compliance history of key officers and staff within the intermediary provider and/or merchant provider with significant influence (such as the directors).
- copies of each intermediary provider’s, merchant provider’s and/or contracted third party’s current entries (and first entries, if different from the current entries) in the Companies House register (or if the company is based outside of the United Kingdom, the equivalent register) where such an entry exists.
- the credit, insolvency and/or other legal proceedings history of the intermediary provider and/or merchant provider, and information on any previous or ongoing credit arrangements, insolvency proceedings or arrangements and/or judgments or decisions made by a court or other relevant body.
- verified contact details for the place of business, such as the address and telephone number of the intermediary provider, merchant provider and/or contracted third party.
- copies of the organisation chart of the intermediary provider, merchant provider and/or contracted third party.
- the company structure of the intermediary provider, merchant provider and/or contracted third party, such as names and details of any parent or holding company, if relevant.
- verified names and contact information for all relevant persons with significant influence or control over the intermediary provider, merchant provider and/or contracted third party, such as owners and directors.
- verified names and addresses of all individuals connected to the intermediary provider, merchant provider and/or contracted third party who receive any share of PRS revenue generated.
- where appropriate, undertakings by the intermediary provider and/or merchant provider that no other natural or legal person is operating in the capacity of a shadow director under the Companies Act 2006.
- information that can be obtained using reasonable endeavours on whether any of the directors of the intermediary provider, merchant provider and/or contracted third party have been involved or connected with other companies that had previous findings, decisions and/or judgments against them as a result of action taken by the PSA or another regulator or enforcement body (such as Ofcom, ICO, FCA, Trading Standards).
- information as to who within the intermediary provider and/or merchant provider is responsible for signing-off on, and accountable for, due diligence within the company.
- documentation evidencing the policies and procedures the intermediary provider and/or merchant provider has in place to manage due diligence and risk assessment as required by paragraph 3.9.6 of the Code.
- the agreed channels/staff within the intermediary provider, merchant provider and/or contracted third party for dealing with correspondence such as those relating to legal, financial and compliance matters.
All platforms should be hosted strictly independently of any merchant provider. Where an intermediary provider wishes to offer services on its own platform, it must retain ownership, control and responsibility for all aspects of the service.
All platforms should use the current version of the Transport Layer Security (TLS) protocols or, as a minimum, a non-deprecated version.
All platforms should have in place a strong Content Security Policy (CSP) to restrict resource usage.
Browser Cross-site Scripting (XSS) mitigations should be enabled on all platforms by default.
HTTPS Strict Transport Security (HSTS) headers should be enabled on all platforms by default.
Payment pages should protect against click-jacking, for example by use of HTTP Headers.
Any phone-paid transaction must only occur over correctly validated HTTPS connections.
Payload protection should be implemented such that it cannot be edited partway through a transaction.
Rate-limiting should be in place for login attempts, in order to prevent “brute force” password-guessing.
Authentication cookies should be encrypted by default on all platforms and must expire within a reasonable amount of time.