Due Diligence and Risk Assessment and Control
20/04/2012 Compliance update for providers of premium rate services who are responsible under the PhonepayPlus Code for Due Diligence and Risk Assessment and Control on other providers with whom they contract
FOR THE ATTENTION OF ALL THOSE INVOLVED IN PROVIDING PREMIUM RATE SERVICES FOR THE PURPOSES OF SECTION 120 OF THE COMMUNICATIONS ACT 2003
This update is to inform all those who provide premium rate services (PRS) for the purposes of section 120 of the Communications Act 2003, that PhonepayPlus' independent Tribunal has now adjudicated for the first time on rules pertaining to Due Diligence and Risk Assessment and Control, as set out in the PhonepayPlus Code of Practice (12th Edition) (“the Code”). Those involved in providing PRS should familiarise themselves with the following information:
At the Tribunal hearing of 12 April 2012, a number of breaches of Code paragraphs relating to Due Diligence, and to Risk Assessment and Control, were upheld for the first time since the Code came into force on 1 September 2011.
This update is to clarify on what grounds the breaches were upheld, in order that providers can review, and if necessary refine, their existing procedures for performing Due Diligence and Risk Assessment and Control.
Breaches, and resulting compliance expectations
Paragraph 3.1.3(a) & (b) – Risk Assessment and Control
All network operators, Level 1 and Level 2 providers must . . . assess the potential risks posed by any party with which they contract in respect of:
the provision of premium rate services, and
the promotion, marketing and content of the premium rate services which they provide or facilitate,
and take and maintain reasonable steps to control those risks
As a result of the Tribunal’s decision, PhonepayPlus can clarify that compliance with paragraph 3.1.3(a) and (b) is highly likely to include, but not be limited to, the following expectations:
- Assess key indicators as to whether a client is a potential high risk provider. Where the client has not previously operated PRS, or is otherwise unknown, they should be assessed as high risk in the first instance.
- Check the names of the client’s directors and other associated individuals against previous PhonepayPlus directions. On this occasion, an individual associated with the client had been referred to in a previous PhonepayPlus direction.
- Conduct a search using the PhonepayPlus registration database, as advised by PhonepayPlus’ Guidance on Due Diligence, Risk Assessment and Control, or use alternative means to ascertain information about the client which is relevant to a risk assessment.
- Ascertain how a client will promote their service, and where warranted by the risk posed by the client and the service, seek examples of promotional material, assess them and issue any advice or direction to the client as a result.
- Take ongoing steps to control risk following the launch of the client’s service, in line with the risk assessment already performed.
PhonepayPlus would advise providers to review, and if necessary modify or refine, their existing risk assessment and control procedures to ensure that they meet, at the least, the expectations bulleted above. A failure to do so is likely to breach the Code in the event of an investigation.
Paragraph 3.3.1 – Contracts
All network operators and Level 1 providers must perform thorough due diligence on any party with whom they contract in connection with the provision of premium rate services and must retain all relevant documentation during that process for a period that is reasonable in the circumstances.
As a result of the Tribunal’s decision, PhonepayPlus can clarify that compliance with the Code is highly likely to include, but not be limited to, the following expectations:
- To properly check Companies House data to ensure that the information provided by a client matches that held by Companies House. On this occasion the client provided a false company number which later appeared on the contract concluded with the Network operator. The client was also registered with PhonepayPlus as a sole trader, and so would not in any case have had a company number from Companies House.
- To properly retain proof of a sole trader, or company directors’ identification.
- To properly verify the address given by a client. The use of Google Earth to check that the address exists is highly unlikely to be deemed adequate, unless further checks subsequently take place to ascertain whether the address given is actually used by the client.
PhonepayPlus would advise providers to review, and if necessary modify or refine, their existing due diligence procedures prior to contracting with clients to ensure that they, at the very least, meet the expectations bulleted above. A failure to do so is likely to breach the Code in the event of an investigation.
Paragraph 3.3.3(b) – Contracts
. . .contracts must include provisions that pursuant to section 1 of the Contracts (Rights of Third Parties) Act 1999, PhonepayPlus may directly enforce the relevant term(s) of that contract
As a result of the Tribunal’s decision, PhonepayPlus can clarify that contracts which do not include such provisions are highly likely to breach the Code in the event of an investigation.
For further information please send enquiries to: firstname.lastname@example.org
To download this Compliance Update in a PDF format, please click here.