The recent Ofcom consultation, accompanied by the draft PRS Order, was published on November 21, 2023, setting the stage for significant changes in the regulation of phone-paid services in the UK (currently under PSA – Phone-paid Services Authority). Stakeholders and interested parties have until January 23, 2024, to submit their responses, with Ofcom planning to present the finalised statement and lay Order to Parliament in the spring of 2024. The expected effective date for the Order is October 1, 2024.
Clients, please note, when the Order becomes law any potential for change is highly unlikely, so Industry needs to work with representative bodies like AIMM, to lobby Ofcom and get the Order fit for purpose before the deadline.
The draft PRS Order retains core principles from PSA’s Code 15 while aligning Ofcom’s enforcement strategy with its practices in other regulated sectors. Cases unresolved before the transition will be transferred to Ofcom, with enforcement actions mirroring those outlined in the code.
Key Consultation points include:
- Ofcom will retain the current PRS levy-based funding model.
- Ofcom will not be retaining prior permission or issuing non-binding guidance and advice.
- Merchants will be responsible for making/retaining records of consent to charge.
- Registration requirements to Service Checker are streamlined and the registration fee is withdrawn.
- ICSS Services will require a free pre-call announcement.
- Ofcom cannot impose a penalty at the final decision stage which is higher than the proposed provisional decision and the maximum penalty will be £250K per breach.
- Aligned to Ofcom enforcement in other sectors, there will be no Appeal or Oral Hearing facility, as is currently the case with PSA.
Additionally, from our reading of the draft Order, there is an increased focus on pre-contract risk assessment as part of due diligence and risk control (DDRC). The following five points are important to note:
- Pre-contract Risk Assessment: To include solvency considerations in the event of sanctions.
- Risk Drivers: Compliance history, company size, structure, and breach history are considered risk drivers.
- Mitigation: Risks must be identified and recorded, with a requirement for written records of assessments and outcomes. If risks cannot be mitigated, trading is prohibited.
- Risk Reviews: Scheduled risk reviews, at least annually, to assess ongoing risks, identify new risks and review (and amend where necessary) mitigation plans.
- Accountability: Requirement for a nominated “general authorised person” in each company, personally accountable and possibly subject to new criminal liability. Their details will need to be officially registered with Ofcom.
If you have any questions or concerns regarding the consultation and what it may mean to your business, please do reach out to your MCP Account Manager.