Statement on the regulation of Payforit
The Payforit scheme is a consumer purchase experience designed to deliver secure charge-to-mobile payment flows that is promoted by the UK MNOs and is defined as a Controlled Premium Rate Service (CPRS) by Ofcom using the powers set out in s120(3) of the Communications Act 2003, which means that services which use the Payforit scheme rules fall under PhonepayPlus’ regulatory remit. By having the Payforit scheme rules within its remit PhonepayPlus’ goal in regulating Payforit, (as with any other form of PRS), is to regulate in a way that is proportionate and targeted according to identified risk.
As such PhonepayPlus recognizes the Payforit scheme rules offers Level 2 providers the ability to lessen consumer risk by ensuring pricing clarity and robust proof of consent to charge where its systems and rules are properly followed. However PhonepayPlus also recognizes that the Payforit scheme does not guarantee that Level 2 providers will be fully compliant with the PhonepayPlus Code of Practice as it is designed to deliver a consistent payment flow/experience and does not seek to control (for example) the promotion of a service.
Role of the Payforit Management Group
The Payforit Management Group (PFI MG) consists of the UK Mobile Network Operators (MNOs) who control the Payforit scheme rules and representatives of Accredited Payment Intermediaries (Level 1 providers) and merchants (Level 2 providers) who actively influence the development of the Payforit scheme rules. The PFI MG’s goal is to ensure that the best possible consumer experience is maintained to deliver a secure and trusted payment experience and that any improvement of the Payforit systems and rules is harmonised across all UK Mobile Networks. PhonepayPlus attends PMG meetings and offers comment and advice in relation to improvements in order to ensure consumer confidence through compliance with the PhonepayPlus Code of Practice.
Use of Payforit in premium rate services
Where used correctly, Payforit ensures that consumers are clearly presented with the price of a product or service prior to purchase, and that a robust consent to charge is obtained for every transaction, which the L1 Provider (i.e. the Accredited Payment Intermediary in Payforit terms) can independently verify. Providers of Payforit services are obligated to follow the Payforit Scheme Rules, in addition to the PhonepayPlus Code.
For avoidance of doubt, the use of Payforit is not in itself a guarantee of compliance with any Code outcomes. Where the Payforit scheme rules are not used correctly then it will not serve as a mitigating factor in any case of consumer harm. Examples include, but are not limited to, the following:
- Overcharging – i.e. where a consumer has consented to a charge but is then charged more than they consented, or further charges are made without consent
- Poor pricing transparency on a Payforit payment screen – e.g. where a price is listed as “2x£4” rather than “£8”
- Misleading promotions other than price – e.g. where the Payforit screen is correct, but the consumer has previously been misled to think they will receive a free gift or vouchers with their purchase when this is not the case.
- Techniques such as i-Framing, used to hide pricing or other parts of a Payforit payment screen.
Where Payforit can provide assistance in complying with the PhonepayPlus Code
Where used correctly, the use of Payforit systems and payment screen technology should allow an L1 or L2 Provider to meet its obligations in relation to the following sections of the 12th edition of the PhonepayPlus Code:
- Section 2.2 Transparency and pricing
- Pricing transparency where relevant to rules 2.3.1 and 2.3.21
- Rules 2.3.4 and 2.3.11 related to Fairness
- Section 2.4 Privacy2
Given that it is the L1 provider that is responsible for the Payforit systems and payment screens it is their responsibility to ensure all sections of the Payforit scheme rules are followed and thereby enable the above requirements to be met.
Where Payforit does not provide additional assistance in complying with the PhonepayPlus Code
The use of Payforit assists an L2 or L1 provider with its responsibilities in terms of parts of the PhonepayPlus Code, but does not discharge an L2 or L1 Provider from those responsibilities. Whereas the correct use of Payforit mechanics and payment screens assists L2 and L1 Providers in complying with the rules considered above, we consider that Payforit does not offer any additional assistance in complying with, in particular, the following sections and rules of the PhonepayPlus 12th Code. L2 Providers should ensure adherence with these rules in the same way as if they were not using Payforit:
2.1.1 Premium rate services must comply with the law.
2.1.2 Premium rate services must not contain anything which is in breach of the law, nor omit anything which the law requires.
2.1.3 Premium rate services must not facilitate or encourage anything which is in any way unlawful.
2.3.1 Consumers of premium rate services must be treated fairly and equitably.
2.3.2 Premium rate services must not mislead or be likely to mislead in any way.
(This applies in particular where such misleading activity takes place outside the Payforit payment screen and systems)
2.3.5 Premium rate services must not be of a nature which encourages unauthorised use by non-bill payers.
2.3.7 Level 2 providers of sexual entertainment services must take all reasonable steps to discourage use by non-bill payers and to prevent use by those under 18 years of age.
2.3.8 Level 2 providers of virtual chat services must take all reasonable steps to discourage use by non-bill payers and to prevent use by those under 18 years of age. However, non-sexual entertainment text and picture-based virtual chat services may be used by those aged 16-17 provided that no advertising for the service has occurred in media where the target audience is below 16 years of age.
2.3.9 Premium rate services must not directly appeal to children to purchase products or take advantage of children’s potential credulity, lack of experience or sense of loyalty.
2.3.10 Premium rate services must not seek to take advantage of any vulnerable group or any vulnerability caused to consumers by their personal circumstances.
2.5 Avoidance of harm
2.5.1 Premium rate services must not cause or be likely to cause harm or unreasonable offence to consumers or to the general public.
2.5.2 Premium rate services must not promote or incite or be likely to promote or incite hatred in respect of any group or individual identified by age, disability, gender, race, religion or belief, sexual orientation or transgender status.
2.5.3 Premium rate services must not encourage or be likely to encourage consumers to put themselves or others at risk.
2.5.4 Premium rate services must not promote or facilitate prostitution.
2.5.5 Premium rate services must not induce and must not be likely to induce an unreasonable sense of fear, anxiety, distress or offence.
2.5.6 Level 2 providers must ensure that their services are not promoted in an inappropriate way.
2.5.7 Level 2 providers must use all reasonable endeavours to ensure that promotional material is not targeted at or provided directly to those for whom it, or the service which it promotes, is likely to be regarded as being offensive or harmful.
2.5.8 Premium rate services aimed at or likely to be particularly attractive to children must not contain anything which a reasonable parent would not wish their child to see or hear in this way.
2.5.9 Where premium rate services involve the possibility that two or more consumers might be able to exchange contact details or make arrangements to meet, then clear advice should be given regarding appropriate safeguards, in line with any generally available police advice.
Rule 2.3.3 - Consent for service
The L2 Provider will not be responsible for rule 2.3.3 if the L1 Provider is responsible for presenting information to consumers and obtaining their consent to purchase.
For example, an L1 Provider may offer a content management system integrated with Payforit and provide an audit trail of the consumer’s consent to buy a service.
Where Payforit is used correctly, then consumer consent to a charge should always be independently verifiable and as such the proper use of Payforit would normally be compliant with rule 2.3.3. However L2 providers must note that whilst Payforit does supply independently verifiable evidence of consent to charge, it does not necessarily provide independently verifiable evidence of the web page or pages that the consumer viewed at the point of, or prior to purchase. As such the use of Payforit will not prevent consumers from being misled prior to the Payforit checkout and therefore the L1 and L2 should take firm steps to ensure that all promotions relating to the product or service are not misleading or otherwise non-compliant with the Code.
Rule 2.3.6 and 2.3.12 – Bill shock and spend reminders
In order to satisfy the requirements of rule 2.3.6 of the Code in relation to prevention of bill shock, it is recommended that the L1 Provider sends a spend reminder each time £100 is spent by a consumer for a service in a given month, in addition to all other Payforit spend reminders. Where providers do not do this then they should keep records of all steps they have taken to prevent bill shock, and provide and explain them to PhonepayPlus upon request.
It is the responsibility of the L1 Provider under Payforit to ensure all service spends limits and reminder obligations in 2.3.12, particularly for Children’s Services, are met. A link to Guidance on how PhonepayPlus will define a Children’s Service is found here.
Section 2.6 - Complaint Handling
The use of Payforit does not relieve an L2 Provider of its responsibilities under section 2.6. However, if the L1 Provider fulfils the customer care role for an L2 Provider using Payforit, then it is likely the L1 Provider will be held responsible for any alleged breaches of the Code by a service in relation to section 2.6.
Should PhonepayPlus receive a customer enquiry or complaint which is not easily identifiable as a Payforit transaction, the L1 Provider (in their role as the party which has verified and logged consumer consent to payment) will first be sent a log request in order to confirm whether or not the service is a Payforit transaction (see “PhonepayPlus Investigations” section below).
L2 Providers that operate PRS services using Payforit must be registered with PhonepayPlus before beginning to operate those services, as they are required to do when using other PRS services. The L1 Provider should ensure their clients’ registrations are correct and up to date as well as fulfil their obligations for due diligence and on-going risk assessment and control.
Specifically paragraph 3.4.12 a) of the PhonepayPlus Code requires the following:
“Level 2 providers must provide to PhonepayPlus relevant details (including any relevant access or other codes) to identify services to consumers . . .”
Where L2 Providers register Payforit services in line with the requirement above, they should be registered in such a way as to accurately reflect the differences between how Mobile Operators describe Payforit on consumers’ phone bills. PhonepayPlus will continue to engage with Mobile Operators to clearly establish the differences in the way in which they identify Payforit services to consumers, and the potential for standardisation of identifiers. We will implement such changes to the registration database as are necessary to allow registration in a way which is clear to consumers using our Number Checker facility.
Where used correctly, PhonepayPlus considers that Payforit is an acceptable mechanic for evidencing consent to charge. If the L1 Provider has correctly followed the Payforit scheme rules then the consent to charge aspect of the L1 Provider’s responsibility to monitor services should be covered.
An L1 Provider should ensure that an L2 Provider’s promotion of a service is in accordance with the fairness and avoidance of harm sections outlined above. This monitoring should be ongoing (as the L1 Provider’s risk assessment of the service and the provider) and in proportion to the size of the service. For more information about risk assessment and monitoring, providers should read PhonepayPlus’ Guidance on Due Diligence, Risk Assessment and Control.
Services requiring prior permission
Certain categories of service require prior written permission from PhonepayPlus before they commence. With the exception of the exemption listed below, services using Payforit as the charging mechanic will still require prior permission and this should be obtained before a service goes live. For more information about how to obtain prior permission, please follow the link here.
Services using only Payforit (including Payforit Single Click) as the payment mechanism to charge are exempt from this prior permission requirement.
Subscription services which charge more than £4.50 in any given 7 days
Services using only Payforit were previously exempt from this prior permission requirement. However in light of recent examples of consumer harm PhonepayPlus has currently suspended this exemption.
PhonepayPlus offers free compliance advice regarding the promotion, operation and/or content of any premium rate service. The Industry Services Team can be contacted for compliance advice via the email address email@example.com .
Where PhonepayPlus receives complaints about services using the Payforit scheme rules, and there is no immediate evidence to suggest significant consumer harm or incorrect usage of Payforit, consumer complaints will be forwarded in the first instance to the appropriate L2 provider for resolution. In cases where the identity of the L2 provider is not easily established, then consumer complaints will first be forwarded to the consumer’s mobile operator in order that they can establish the identity of the L2. Consumers who remain dissatisfied must, as set out at rule 2.6.5 of the Code, be referred back to PhonepayPlus.
However where PhonepayPlus receives complaints about a service using Payforit, whether direct or referred from a mobile operator, we reserve the right to use rule 4.2.3 of the Code to request preliminary information from L1 or L2 providers concerning the service in circumstances where there is preliminary evidence that suggest a breach of the Code which warrants a Track 1 or 2 investigation.
After reviewing any information requested, the complaints may be:
- Closed due to a lack of evidence that the Code has been breached;
- Attached to an ongoing investigation (previously opened as a result of other complaints about the same service);
- Dealt with using a Fast Track intervention, or Track 1 investigation. In both cases the provider must resolve the cause or causes of consumer harm to the satisfaction of PhonepayPlus, and a record of the breach (where a Track 1 investigation is used) and action taken to resolve the harm will be retained by PhonepayPlus;
- Opened as a Track 2 investigation or, where immediate and serious consumer harm is identified, an Emergency Procedure.
Where PhonepayPlus commences a Track 2 investigation of a service using Payforit, and raises a breach (or breaches) of the Code against a premium rate service, PhonepayPlus will submit details of these alleged breaches to the provider within a breach letter. The provider will have the opportunity to respond to PhonepayPlus’ breach letter before a case is presented to a Tribunal made up of three members of the PhonepayPlus Code Compliance Panel as set out in the Code. The provider will also have the opportunity to request attendance at the Tribunal hearing to clarify any aspect of its case.
PhonepayPlus will continue to review the consumer risks presented by different types of PRS and PRS payment mechanics, including Payforit scheme rules, on an ongoing basis. We will ensure that regulation is reviewed where appropriate, in order that it continues to be proportionate to the level of consumer risk identified.
1 Providers using Payforit should note that this applies only to activity which takes place within Payforit payment screens and/or systems. Payforit is not designed to provide extra assistance to prevent any other misleading activity, including in the case of any misleading promotions prior to a Payforit screen.
2 Providers should note that while Payforit assists in compliance with requirements around data collection and consent to marketing based on previous purchase, it does not assist with inappropriate marketing, or marketing which does not offer an opt-out in line with PECR requirements