It’s said the best poker players are entrepreneurs. They excel in understanding that the most important insights are not in the grand gestures, but in the subtle tells that give away the real intent. So, I’m sure that many Telemedia readers will already be reading between the lines on the regulator’s 15th Code. International players may be slightly baffled by the amount of work and time that an Industry spends (the process started 1.5 years ago) on a switch from the 14th Code of Practice which was ‘outcomes’ based, to a 15th Code which is ‘standards’ based. The 15th Code is live 5th April 2022.
With any regulatory change, frantic activity is directed towards the user experience. Small changes, for example the ambiguous use of the word “BOLD” to describe pricing prominence within the Code Guidance documents, can cause a flurry of debate. The reality is that when the dust settles – apart from a quite big question around receipting requirement for PSMS chat – we will find that little has changed with the payment process or promotional standards; that price prominence and proximity remain central to flow design and the expectation is this should be applied in spirit as much as in the letter.
Away from the fanfare there is greater jeopardy around the ongoing application of standards. And I will focus here on Due Diligence and Risk ‘Assessment’ Control.
Due diligence is a term familiar to us all. Common in commercial practice to protect our own best interests, as well as in regulation to widen that protection to others. Throughout my 14 years in the phone paid sector it has been observable in every iteration of the Industry Regulator’s Code of Practice.
It comes as no shock that the 15th Phone Paid Services Authority (PSA) Code of Practice contains similar provision. It can be tempting to overlook the impact due to this familiarity.
Those with a keener eye may observe that previously the acronym DDRC was commonly used and yet the latest PSA documents formally introduces the longer DDRAC abbreviation.
On reviewing MCP’s own internal documentation and processes to ensure we remain at the forefront of 15th Code readiness in protecting our clients, it could have been tempting to ignore making any adjustment to this small detail. After all, we know what DDRC means, right?!
The thrust of the new code is responsibility. That is why the word “assessment” within the PSA’s chosen acronym is such a telling shift in the regulator’s focus.
The wisest will realise that the practice of treating the onboarding and accreditation of new clients as a simple tick box exercise will no longer suffice. The information collected must be used – and must also be demonstrated evidentially to have been used – in driving a real assessment of risk and dictating meaningful, ongoing, and action orientated risk mitigation plans.
The scope of these responsibilities is also being extended. Each layer of the value chain must not only exercise DDRAC over its directly contracted partners; it must be aware and demonstrate that it is taking a risk appropriate level of oversight in how those partners exercise their own controls.
The PSA adjudication against BT Agile Media for poor process controls is a harbinger of how PSA is expected to focus its redefined powers to extend adjudications and penalties up the value chain.
In assessing your 15th Code readiness you will need to ensure you have:
- Documented processes to explain your plan of engagement with partners throughout the lifetime of the contract (not just at inception)
- Specified information in Code Annex 2 must always be collected, but this list is not exhaustive; a client’s individual risk must drive what additional questions, checks or evidence are situationally appropriate
- Regular spot checks and documented audits of the risk plan being executed must occur; increasing in regularity and scope according to the assessed risk profile of that client, and character of particular content sectors
- General processes and individual client DDRAC documentation must be housed in an auditable, tamperproof and it’s recommended an independent data management system
- Have a culture of fluid regularly reassessed risk plan for each client that must reflect changing risk over the contract lifetime
- Put in place communication channels to share intelligence on changing risk drivers, high risk client or significant non-compliance incidents up and down the value chain
MCP realises that for most companies these regulatory changes seem a huge distraction from the core business goal of driving revenue. Businesses of different sizes will also have different levels of internal audit and compliance resource already available to them. We have therefore structured DDRAC support packages to meet every need, from simply providing an auditable tamperproof compliance portal for housing documents and correspondence; providing ad-hoc standalone testing; through to monitoring, auditing, or full risk management consultancy.
Please pick up the phone or email for more information or advice from MCP Insight’s senior management team, each of which have extensive knowledge of both regulation and commercial aspects, having all been working in the UK market for 20+ years.
Remember, the new Code is in place 5th April – so reach out soon. MCP Insight will be at Mobile World Congress and WT8.1 Barcelona 28th-1st March, 2022.
Visit the PSA’s dedicated 15th Code of Practice page to find out more.