Strengthen Your DDRC for the Ofcom Era! 

The UK phone-paid services market is set for a significant regulatory change, with the Phone-paid Services Authority (PSA) handing over its responsibilities to Ofcom on 1st February 2025. For companies in the charge-to-bill value chain, this transition is an opportunity to review and strengthen due diligence, risk assessment, and control (DDRC) measures to ensure compliance with evolving regulatory expectations. 

A Stable Market Built on Strong DDRC Practices 

The UK phone-paid services market is widely recognised as a stable and well-regulated market, thanks in large part to the PSA’s strong focus on DDRC. Over recent years, the PSA’s robust regulatory approach has contributed to a market environment that sees only a small number of compliance issues each month. However, this stability hasn’t come without enforcement action. 

New entrants, particularly those from less mature regulatory environments, can find themselves caught out by the UK’s more rigorous requirements. The PSA has consistently demonstrated its willingness to enforce compliance standards when DDRC measures fall short. 

A recent adjudication against a telco provider illustrates this. High volumes of complaints about its merchant providers triggered an investigation, covering two breaches of the PSA Code. While the PSA found that the provider had conducted satisfactory due diligence, its risk assessment and control measures were deemed inadequate. The PSA classified the overall breach severity as very serious and imposed significant sanctions: 

  • A formal reprimand (a public record of non-compliance). 
  • A fine exceeding £250,000.00. 
  • A requirement to conduct a compliance audit by an approved third party within 12 months and implement the recommendations. 
  • An administration fee of nearly £14,000.00. 

This case serves as a stark reminder that the UK’s regulatory environment leaves little room for error, particularly around DDRC. 

What Changes Under Ofcom? 

While Ofcom has retained the PSA’s codes relating to DDRC, it has strengthened and expanded them in certain areas. Key updates include: 

1. Formal Definition of Risk

Ofcom defines “risk” as any reasonably identifiable circumstance or event with potential adverse effects on consumers. Providers are now required to assess risks across: 

  • The purpose and nature of the arrangement. 
  • The parties involved. 
  • The content, promotion, and marketing of controlled PRS. 

2. Broader Scope of Risk Assessments

Providers must assess risks associated not just with direct partners but also subcontractors. This requires additional diligence when onboarding merchants and affiliates. 

3. Stronger Accountability Measures

Providers must regularly review their DDRC measures at intervals not exceeding 12 months. Networks and intermediaries must suspend or terminate arrangements with merchants (and other intermediaries) if they suspect a contravention or security compromise. 

4. Complaint-Driven Risk Reviews

While consumer complaints don’t automatically indicate non-compliance, Ofcom expects providers to have regard for consumer enquiries or complaints in their risk assessments and take appropriate action where necessary. 

These updates underscore Ofcom’s commitment to protecting consumers from harm by ensuring networks, aggregators and content service providers have robust DDRC mechanisms in place. 

Anticipating Increased Scrutiny 

Ofcom is no stranger to DDRC. With its experience in overseeing the wider communications industry, the regulator is accustomed to engaging with entities that have strong compliance frameworks and the resources to support them. This could mean higher expectations for the phone-paid services industry, particularly for smaller players or those operating with leaner resources. As an industry, we should prepare for a level of scrutiny that potentially exceeds what we’ve experienced under the PSA. 

How MCP Insight Can Help 

The transition to Ofcom presents an opportunity to assess and refine your DDRC processes. MCP Insight offers comprehensive DDRC reviews and compliance audits to ensure your business is prepared for the new regulatory framework. 

Our services include: 

  • Partner Risk Assessments: Evaluate the compliance and risk levels of your merchant providers. 
  • DDRC Process Reviews: Identify gaps in your due diligence, risk assessment, and control mechanisms. 
  • Live Service Compliance Audits: Assess your onboarded services for compliance with regulatory standards. 

Don’t leave compliance to chance—get in touch with MCP Insight today to ensure your DDRC processes are fit for purpose and ready for Ofcom’s oversight. 

Contact us to schedule a discovery call or click below for further information.

Learn more about our DDRC review designed to prepare payment aggregators and intermedaries for Ofcom.

related posts

Strengthen Your DDRC for the Ofcom Era! 

Discover how the transition from PSA to Ofcom impacts the UK phone-paid services market. Learn about strengthened DDRC requirements and how to prepare for potentially enhanced compliance standards.

Black Friday: Tackling Misleading Advertising

With Black Friday fast approaching, mobile network operators need to stay vigilant against misleading advertising practices that can harm both customers and their DCB business.

Navigating the Global Carrier Billing Landscape

In an increasingly complex carrier billing landscape, payment aggregators face growing challenges in balancing compliance, supporting CSPs, and driving sustainable revenue. In this insightful interview, MCP Insight Director Kev Dawson shares his experience across the DCB value chain and offers practical advice for aggregators.