Strengthen Your DDRC for the Ofcom Era! 

The UK phone-paid services market is set for a significant regulatory change, with the Phone-paid Services Authority (PSA) handing over its responsibilities to Ofcom on 1st February 2025. For companies in the charge-to-bill value chain, this transition is an opportunity to review and strengthen due diligence, risk assessment, and control (DDRC) measures to ensure compliance with evolving regulatory expectations. 

A Stable Market Built on Strong DDRC Practices 

The UK phone-paid services market is widely recognised as a stable and well-regulated market, thanks in large part to the PSA’s strong focus on DDRC. Over recent years, the PSA’s robust regulatory approach has contributed to a market environment that sees only a small number of compliance issues each month. However, this stability hasn’t come without enforcement action. 

New entrants, particularly those from less mature regulatory environments, can find themselves caught out by the UK’s more rigorous requirements. The PSA has consistently demonstrated its willingness to enforce compliance standards when DDRC measures fall short. 

A recent adjudication against a telco provider illustrates this. High volumes of complaints about its merchant providers triggered an investigation, covering two breaches of the PSA Code. While the PSA found that the provider had conducted satisfactory due diligence, its risk assessment and control measures were deemed inadequate. The PSA classified the overall breach severity as very serious and imposed significant sanctions: 

  • A formal reprimand (a public record of non-compliance). 
  • A fine exceeding £250,000.00. 
  • A requirement to conduct a compliance audit by an approved third party within 12 months and implement the recommendations. 
  • An administration fee of nearly £14,000.00. 

This case serves as a stark reminder that the UK’s regulatory environment leaves little room for error, particularly around DDRC. 

What Changes Under Ofcom? 

While Ofcom has retained the PSA’s codes relating to DDRC, it has strengthened and expanded them in certain areas. Key updates include: 

1. Formal Definition of Risk

Ofcom defines “risk” as any reasonably identifiable circumstance or event with potential adverse effects on consumers. Providers are now required to assess risks across: 

  • The purpose and nature of the arrangement. 
  • The parties involved. 
  • The content, promotion, and marketing of controlled PRS. 

2. Broader Scope of Risk Assessments

Providers must assess risks associated not just with direct partners but also subcontractors. This requires additional diligence when onboarding merchants and affiliates. 

3. Stronger Accountability Measures

Providers must regularly review their DDRC measures at intervals not exceeding 12 months. Networks and intermediaries must suspend or terminate arrangements with merchants (and other intermediaries) if they suspect a contravention or security compromise. 

4. Complaint-Driven Risk Reviews

While consumer complaints don’t automatically indicate non-compliance, Ofcom expects providers to have regard for consumer enquiries or complaints in their risk assessments and take appropriate action where necessary. 

These updates underscore Ofcom’s commitment to protecting consumers from harm by ensuring networks, aggregators and content service providers have robust DDRC mechanisms in place. 

Anticipating Increased Scrutiny 

Ofcom is no stranger to DDRC. With its experience in overseeing the wider communications industry, the regulator is accustomed to engaging with entities that have strong compliance frameworks and the resources to support them. This could mean higher expectations for the phone-paid services industry, particularly for smaller players or those operating with leaner resources. As an industry, we should prepare for a level of scrutiny that potentially exceeds what we’ve experienced under the PSA. 

How MCP Insight Can Help 

The transition to Ofcom presents an opportunity to assess and refine your DDRC processes. MCP Insight offers comprehensive DDRC reviews and compliance audits to ensure your business is prepared for the new regulatory framework. 

Our services include: 

  • Partner Risk Assessments: Evaluate the compliance and risk levels of your merchant providers. 
  • DDRC Process Reviews: Identify gaps in your due diligence, risk assessment, and control mechanisms. 
  • Live Service Compliance Audits: Assess your onboarded services for compliance with regulatory standards. 

Don’t leave compliance to chance—get in touch with MCP Insight today to ensure your DDRC processes are fit for purpose and ready for Ofcom’s oversight. 

Contact us to schedule a discovery call or click below for further information.

Learn more about our DDRC review designed to prepare payment aggregators and intermedaries for Ofcom.

related posts

The RCS Backlog Problem: Why MNOs Need to Rethink DDRC 

RCS offers MNOs a premium messaging opportunity — but onboarding bottlenecks are delaying campaigns, frustrating partners, and stalling revenue. This article explores why DDRC is slowing things down and how MNOs can rethink their approach to speed up approvals without increasing risk.
Regulation at the Speed of Innovation, Without Slowing the Market

Mobile value‑added services are growing quickly, offering consumers access to a wide range of digital content and driving digital inclusion. But with growth comes risk - and oversight must adapt. This article explores how consistent, day‑to‑day visibility into advertising and compliance flows helps regulators target risk earlier, protect consumers, and sustain clean market growth without slowing innovation.
From Chargebacks to TikTok: What the Latest Payment and Discovery Trends Mean for mVAS

As digital payment journeys grow more complex, the real battleground is clarity, not conversion. From rising card chargebacks to the growing influence of TikTok on user acquisition, the mobile payments ecosystem is evolving fast. For MNOs, aggregators, and merchants, that means one thing: deliver transparency and trust at every step, or risk losing out to more agile, user-focused competitors.
Load more...