The PSA Proposals for reform of Subscription Services – a missed opportunity?

The PSA are consulting on new Special conditions for Subscription services. These Special conditions are the inevitable result of the high levels of fraud facilitated by the Payforit payment mechanic. Many “services” have appeared in the past year which appear to be a cynical attempt to exploit the vulnerabilities of this system.

This is my own response to this consultation. Although the proposed changes should strengthen the safeguards around “consent to charge”, many other deficiencies of Direct Carrier Billing are not addressed. In particular the lack of any formal dispute resolution procedure andthe failure of the MNOs to meet their obligations are not properly considered. There is also the issue of whether the new special conditions will be fully and robustly enforced. Given my experience of PSA over the past two years, I doubt it!

Q1. Do you agree with the PSA’s assessment that the evidence gathered from the research and other information, data and inputs considered support implementation of Special conditions for all subscriptions as an appropriate and proportionate response? If not, please set out your alternative approach and the supporting evidence.

The proposed Special Conditions seem entirely appropriate, given  the high level of consumer harm generated by the current regulation. However they fail to address other deficiencies in Direct Carrier billing such as the lack of a formal and consistent disputes procedure and the lack of a refund mechanism that meets current consumer legislation and expectations.  In their response to the initial consultation, Lateral Corp said “Rather than just creating confidence, the objective should be positive promotion of DCB as the best and most trusted option for any customer”. A laudable aim which these Special conditions will fail to achieve. There is an opportunity here for DCB to really clean up its act and put in place the features that consumers expect of a 21st century payment mechanism.

Lateral Corp go on to list (on page 5 ) what it sees as the advantages of DCB. 

I’m not going to disparage all of them, although it would be easy to do so, but this is just plain ridiculous:

Fully refundable transaction:

Carrier Billing is a commercial anomaly. Generally, other payment methods prohibit or seriously limit refunds. Carrier Billing offers full refunds to customers on request, regardless of the reasons for the request.

Surely nothing could be further from the truth.

One of the biggest issues for consumers is the difficulty of obtaining a refund even when it is clear that there was no consent to charge for the “service”and the “service” has not been used. If there was one change which would make a difference to the consumer perception of Payforit, it would be a refunds system that worked as simply as Lateral Corp seem to believe it does now. A compulsory ADR scheme or an ombudsman is desperately needed!

A system which users can opt-in to, and which puts the MSISDN passthrough behind an account login, would be an improvement. If consumers could then access their account to get a real time view of transactions and to cancel subscriptions, that would have the potential to be a “game changer”.  A disputes mechanism could also be built in to the system allowing consumers to dispute transactions and receive a refund back to their phone account if the dispute was resolved in their favour.

Lateral Corp also give as an advantage of DCB

7)Singular customer support channel: DCB is the only transactional model that leverages an existing service provision relationship. The carrier is not just a payment channel like a credit card company; they are a provider of a number of communication and digital services to their customers. They have customer support infrastructure in place to manage these products and customers have an expectation that any transaction on theiraccount can be dealt with via this support channel. There is no equivalent in the banking industry.

The problem here is that the MNOs are quite clearly unwilling to perform the role that Lateral Corp ascribes to them. Far from acting like a credit card company, they routinely abrogate their responsibility to support their customers when they have a problem with a Payforit “service”. Customers are left to use the Small Claims procedure to pursue their complaint, or have to accept the financial loss from Payforit fraud.The MNOs want to be allowed to act as payment processors without any of the attached responsibilities. They make a lot of money from Payforit, but do virtually nothing to earn it.

The Payforit rules clearly allow consumers to “escalate” Payforit disputes to their network, if they are dissatisfied with the outcome of their discussion with the service provider. This route is routinely being denied to consumers by all the major networks.The assurances and procedure provided to OFCOM as part of their 2012 review of Premium Rate Services have been ignored.

Lateral Corp say” DCB represents the payment method with potentially the highest protection to customers, in comparison to credit card-based systems”. Potentially is the operative word here! As currently implemented, Payforit is insecure and allows numerous fraudulent “services” to operate with impunity.

The Empello submission makes these points in relation to PIN flow:

Recent data presented by Empello at the Global Carrier Billing conference shows that PIN does not necessarily prevent Payments Fraud, as App Malware has now evolved to automatically read and submit PINs without any user interaction.

The internal security of PIN systems is questionable given recent cases in one European country where it was shown that there have been multiple security breaches

This highlights the need to be vigilant and responsive to new mechanisms devised to exploit vulnerabities in the system.

I don’t accept that the argument that a measure may not be 100% effective is a reason not to employ it. However Phone-paid Services have been a vehicle of choice for fraudsters for many years.  Many of the “services” currently on offer are a cynical attempt to exploit the current vulnerabilities of the system. The proposed Special conditions should defeat the exploits currently being used, but there is no doubt that attempts will be made to circumvent these measures. The industry needs to take fraud prevention much more seriously.

There is a danger that as has happened before, these Special conditions are “too little and too late”.

In its response to the initial consultation, Lateral sought to minimise the incidence of fraud in DCB transactions by saying:

If the Carrier Billing industry thinks it has a fraud problem, we should be aware that it is miniscule compared to other types of on-line fraud, which amounts to 1.5 trillion dollars each year.

However the transaction value handled by Carrier Billing is also miniscule. If the credit card industry had a percentage of fraudulent transactions equal to that of Direct Carrier Billing, the losses would be horrendous and unsustainable, especially as, unlike the MNOs, the credit card companies can’t make consumers pay for their irresponsible business practices.

The proposed Special Conditions seem entirely appropriate, given  the high level of consumer harm generated by the current regulation. However they fail to address other deficiencies in Direct Carrier Billing(DCB) such as the lack of a formal disputes procedure and the lack of a refund mechanism that meets current consumer legislation and expectations.  In their response to the initial consultation, Lateral Corp said
Rather than just creating confidence, the objective should be positive promotion of DCB as the best and most trusted option for any customer”.
A laudable aim which these Special conditions will fail to achieve. There is an opportunity here for DCB to really clean up it’s act and put in place the mechanisms that consumers expect of a 21st century payment service.

Lateral Corp go on to list (on page ) what it sees as the advantages of DCB.  I’m not going to query all of them, although it would be easy to do so, but this “advatage” is just plain ridiculous:

Fully refundable transaction:
Carrier Billing is a commercial anomaly. Generally,other payment methods prohibit or seriously limit refunds. Carrier Billing offers full refunds to customers on request, regardless of the reasons for the request.

One of the biggest issues for consumers is the difficulty of obtaining a refund even when it is clear that there was no consent to charge for the “service”and the “service” has not been used. If there was one change which would make a difference to the consumer perception of Payforit, it would be a refunds system that worked as simply as Lateral Corp seem to believe it does now.

A system which users can opt-in to, and which puts the MSISDN passthrough behind an account login would be an improvement. If consumers could then  access their account to get a real time view of tranactions and to cancel subscriptions that would have the potential to be a “game changer”.  A disputes mechanism could also be built in to the system allowing consumers to dispute transactions and receive a refund back to their phone account if the dispute was resolved in their favour.

Lateral Corp say” DCB represents the payment method with potentially the highest protection to customers, in comparison to credit card-based systems”. Potential is the operative word here! As currently implemented, Payforit is insecure and allows numerous fraudulent services to operate with impunity.

The Empello submission makes these points in relation to PIN flow:

  • Recent data presented by Empello at the Global Carrier Billing conference shows that PIN does not necessarily prevent Payments Fraud, as App Malware has now evolved to automatically read and submit PINs without any user interaction.
  • The internal security of PIN systems is questionable given recent cases in one European country where it was shown that there have been multiple security breaches

I don’t accept the argument that, because a measure may not be 100% effective, it is a reason not to employ it. However Phone-paid Services have been a vehicle of choice for fraudsters for many years.  Many of the “services” currently on offer are a cynical attempt to exploit the current vulnerabilities of the system. The proposed Special conditions will defeat most of the exploits currently being used, but there is no doubt that attempts will be made to circumvent these measures. The industry needs to take fraud prevention much more seriously.

There is a danger that as has happened before, these Special conditions are “too little and too late”.

In its response to the initial consultation, Lateral sought to minimise the incidence of fraud in DCB transactions by saying:
If the Carrier Billing industry thinks it has a fraud problem, we should be aware that it is miniscule compared to other types of on-line fraud, which amounts to 1.5 trillion dollars each year.

However the transaction value handled by Carrier Billing is also miniscule. If the credit card industry had a percentage of fraudulent transactions equal to that of Direct Carrier Billing, the losses would be horrendous and unsustainable, especially, as unlike DCB, the credit card companies can’t force consumers to bear the costs of their negligence in failing to actively address issues of fraud.

Q2. Do you agree with our proposed approach that the proposed Special conditions be applied to all phone-paid subscription services to create clarity and certainty for providers of subscription services, with any additional requirements under other Special conditions not being replicated in the proposed conditions?

Yes, I can see no benefit in  complicating matters by exempting any services from the proposed Special Conditions.  The most important issue though, is that of enforcement. Current rules are not being rigorously enforced. Can we have confidence that these Special conditions will be robustly applied?

Q3. Do you agree that the research and other information, data and inputs we considered support action on each of the identified issues outlined in this document? If not, please provide supporting evidence

No, your proposed actions still fail to address some of the issues, such as the difficulty consumers have in getting redress. If the intention is to “clean up” this sector of PRS, consideration should have been given to complaints procedures and refund mechanisms. Consumers should be able to opt out of having their numbers passed to third parties via the Payforit API.  Consumers who have been defrauded and wish to reduce the risk of having it happen again are often advised to ask their network to bar these charges. I am aware of at least two networks that refuse to implement such a bar. PRS are not an essential element of the telecom service. Most consumers have no need of them.

Q4. Do you agree with our analysis using the risk taxonomy (outlined from paragraph 249 of this document) that Special conditions represent a proportionate regulatory response to the risk of harm posed by phone-paid subscription services? If not, please provide supporting evidence.

I really don’t see how, given the level of complaints and consumer harm, you could do any less! These measures are the very minimum that are required to reduce very high levels of consumer harm. Restoring consumer confidence will require a great deal more!

Q5. Are there any other issues not addressed through our proposed response that you consider warrant regulatory action in light of the research and other information, data and inputs considered? If yes, please provide supporting evidence.

Yes
Having identified “Post-purchase experience and complaint handling” as an area to consider, no proposals have been made to deal with the high levels of consumer dissatisfaction.
If Direct Carrier Billing is to compete with other modern payment methods there are issues other than consent to charge which need to be considered. Other payment methods have clear, published disputes mechanisms which actually work. Much of the consumer dissatisfaction with Payforit stems from the difficulty they experience in resolving disputes. If nothing is done to correct this, no amount of fraud prevention will restore trust.
In the consultation  the PSA say:

Having identified “Post-purchase experience and complaint handling” as an area to consider, no proposals have been made to deal with the high levels of consumer dissatisfaction.

If one change to this system was desperately needed it would be this. As long as the complaints and disputes procedures remain as inaccessible and tortuous as they are currently, consumer dissatisfaction and mistrust can only increase.  

If Direct Carrier Billing is to compete with other modern payment methods there are issues other than consent to charge which need to be considered. Other payment methods have clear, published disputes mechanisms which actually work. Much of the consumer dissatisfaction with Payforit stems from the difficulty they experience in resolving disputes. If nothing is done to correct this, no amount of fraud prevention will restore trust.

In the consultation  the PSA say:

188.Section 2.6 of the Code sets out the requirements for Level 2 providers in relation to complaint handling. The Code outcome that relates to this is that consumers can have complaints resolved quickly and easily by the Level 2 provider responsible for the service and that any redress is also provided quickly and easily. The Code also requires that Level 2 providers must provide an appropriate and effective complaints process which is free or low cost.

There is a serious problem here, not with the code, but with the enforcement thereof. In the past year, numerous consumers have been forced to resort to the Small Claims procedure, because of the lack of an “appropriate and effective complaints procedure that is free or low cost”.  Other consumers have been forced to accept losses because the company which has taken their money is based overseas and there is no accessible complaints procedure.

The difficulty of obtaining redress for consumers who have had money taken by a Payforit subscription service is one of the principal drivers of consumer dissatisfaction. A statement that PSA will in future robustly enforce this aspect of the code, followed up by such robust enforcement would help restore consumer confidence. Maybe the Special conditions could require that a company’s complaint procedure must be published on its website or be supplied immediately to a consumer making a complaint.

The MNOs are responsible for the design and implementation of the Payforit system and profit considerably from it. However they are currently abrogating their responsibilities as payment processors. MNOs should be made to accept their responsibility for dispute resolution under the Payforit rules.

188.Section 2.6 of the Code sets out the requirements for Level 2 providers in relation to complaint handling. The Code outcome that relates to this is that consumers can have complaints resolved quickly and easily by the Level 2 provider responsible for the service and that any redress is also provided quickly and easily. The Code also requires that Level 2 providers must provide an appropriate and effective complaints process which is free or low cost.

There is a serious problem here, not with the code, but with the enforcement thereof. In the past year, numerous consumers have been forced to resort to the Small Claims procedure, because of the lack of a “appropriate and effective complaints procedure that is free or low cost”.  Other consumers have been forced to accept losses because the company which has taken their money is based overseas and is impossible to hold to account. The MNO’s are supposed to help in this respect but invariably fail to do so.
PSA are well aware that service providers are failing to meet this obligation under the Code, but seem reluctant to take any action to ensure that consumers are treated fairly when they complain.
The difficulty of obtaining redress for consumers who have had money taken by a Payforit subscription service is one of the principal drivers of consumer dissatisfaction. High levels of fraud are a cause for consumer concern, but the acquiescence of the networks and the regulator to these high levels of fraud is a cause for consumer anger and distrust! A statement that PSA will in future robustly enforce this aspect of the code, followed up by such robust enforcement would help restore consumer confidence. Maybe the Special condition could require that the company’s complaint procedure be published on it’s website. MNO’s should be made to accept their responsibility for dispute resolution under the Payforit rules.  The rules do currently give them the role of investigating and deciding disputes, but these responsibilities are being shirked.


If they are not willing to meet their obligations as regards dispute resolution,  a compulsory ADR scheme should be introduced.
Similarly, the lack of a refund mechanism is likely to detract from attractiveness of carrier billing.  I note that this is being considered as a separate issue, but the inability to refund directly and speedily to the consumer’s phone account is another area where Carrier billing lags way behind other payment mechanisms.

As a consumer, I like to know that the payment mechanism I am using has safeguards in the event that something goes wrong. I don’t want to have to make a multitude of phone calls to resolve a simple problem or to employ a private detective to find out the identity of a company taking my money.

I would expect the carrier billing mechanism to offer the same kind of account controls as I enjoy with other payment mechanisms.

If a company generates a disproportionate volume of complaints, they will have their ability to accept credit card payments rescinded. No such safeguards seem to apply to carrier billing, where rogue Payforit services generate large volumes of complaints, but the MNOs continue to allow them to use the Payforit mechanism.



MNO’s should be required to provide a bar that blocks charges from these services. Some networks still fail to allow this. It is a legal requirement in many parts of Europe, but not in the UK.

Indeed the EU regulations contain a requirement for

“Selective barring for outgoing calls or Premium SMS or MMS or where technically feasible, other kinds of similar applications, free of charge”

Clearly, as some networks are able to apply charge to bill bars and spending caps that do apply to DCB charges, it is technically feasible.

It should also be made possible to stop future recurring charges even in the event that it is not possible to contact the service provider. Consumers often draw an unfavourable comparison between Payforit and Direct Debit or Continuous Credit Card Authorities in this respect. They expect to be able to stop future payments by contacting the payment processor (their network).

The leaking of MSISDN’s via the Payforit API (MSISDN Pass-through) is unnecessary and has caused much consumer harm. It is possibly a breach of GDPR.  Although the proposed Special conditions will provide additional safeguards, I still believe it to be wrong in principle to be leaking consumers MSISDNs in this way without their explicit consent. Consumers are often unaware that this happens. Consumers should be made aware of it and be allowed to opt-in or opt-out as they wish. This would make the processing indisputably lawful. Consumers opting out wouldn’t be prevented from signing up to subscription services, but would experience additional “friction” as Payforit would revert to the WiFi path requiring them to manually enter their MSISDN.

There is a problem with the STOP mechanism, as often consumers find it difficult to identify the originator of the charges they are receiving. Currently a number of services appear to be operating in breach of the registration requirements. Although  company was recently fined £50,000 for failing to register, it was allowed to operate for months without registering! Enforcement is key here. Services are required to register within 48 hours. If they fail to do so, they should be given 48 hours in order to register. If they still fail to do so, the non-compliant service should be stopped until compliance is established. It is essential that the PSA Number Checker contains information about each and every service, including full registration details of the company operating it. Where one company is providing content and another is actually running the service (and receiving the income from it), both companies should be identified.There has been a recent case where information supplied by the PSA regarding responsibility for a service appears to have been misleading, resulting in CCJs being obtained against an apparently innocent  company. This is unacceptable.

As long as the shortcode can be correctly identified, I agree that the STOP mechanism generally works well. However, I believe that the STOP text should be free. A problem sometimes arises with some consumers of PAYG networks. These consumers buy a monthly bundle of texts, calls and data. They operate their accounts with no airtime credit. When they find themselves signed up to a subscription service (whether inadvertently or as the result of fraud), they are unable to send the STOP text as they lack the credit to do so.  If they do add airtime credit, the charge for the unwanted subscription will be taken. This situation is unsatisfactory and could be avoided by making texts to STOP subscription services free.

There is an additional problem where an MSISDN is associated with a WiFi dongle. I have dealt with several cases like this recently. The consumer is unable to see the warning texts and is unable to respond to them, unless the SIM is removed from the dongle and placed in a mobile phone. SIMs supplied for WiFi dongles should have Payforit subscriptions and other forms of Direct Carrier Billing disabled by default. Other consumers are reluctant to send the STOP text because their phone warns them that it is chargeable .  Consumers often confuse the subscription charge of £4.50 or £3 with the much lower charge for the STOP text. They believe they were charged £4.50 for sending a STOP  text. This confusion can’t be good for the industry.


Q6. Do you have any views or evidence on the use and effectiveness of free trial periods of varying durations to support the PSA in considering what might be appropriate in the context of phone-paid subscription services.

One of the problems PSA face is that there are a number of companies which will seek to stretch any rules to their limit with a view to defrauding consumers. As long as PSA continue to turn a blind eye to these practices, they will continue. This is likely to be an issue with any rules around free trial periods. Any rules should perhaps be reviewed after 12 months, so that any abuses can be identified and eliminated.
Free Trial periods can be effective in allowing new services to demonstrate their value to consumers. It is a common feature of subscription services and needs to be allowed under the rules.
However, there do need to be safeguards
Either:
Payment details should be taken using a double opt-in procedure at the time the free trial period starts (this tends to be the norm for other payment mechanisms) . This makes it obvious to the consumer that, at the end of the free trial period, the service will become chargeable.
Or:
The subscription should end at the end of the free trial period unless the consumer has extended it by going through a double opt-in procedure.

Free trial periods should be able to be terminated by using a STOP text. Free trial periods should not be so short that it is impossible to cancel if, for some reason the STOP text can’t be sent.  24 hour free trial periods can be problematic in this respect. This is a particular issue where helplines are not manned at weekends.  

Q7. Do you have any additional comments?

Fraud prevention has been a very low priority for far too long. If the opportunity is not taken for the industry to clean up its act, other payment mechanisms are likely to take the largest share of any growth. Consumers who have been defrauded by one of the rogue operators are going to take a lot of convincing to use this payment mechanism Those who believe that Carrier Billing and Payforit don’t have an image problem need only do a search for “Payforit” on one of the networks customer forums to see the uphill struggle they will have to regain consumer confidence.

If/when the new Special conditions take effect, consideration will need to be given to subscriptions already in force.  It is not unusual for consumers to discover they have been paying for a weekly subscription for a period of 2 years or more. The Payforit 120Day rule doesn’t seem to be having the effect that it should, probably because it is only being enforced retrospectively. If action isn’t taken to reconfirm existing subscriptions, either by confirming that the subscriber is regularly interacting with the service, or by asking the subscriber to confirm that the service is still required, it is likely that complaints will continue for months, if not years, after the introduction of the new regime.

Addendum Questions

Q1. Do you agree with our proposal to include use of a secure, consumer controlled, mobile originating short message service (MO SMS) as a method that providers could utilise to fulfil the proposed first or second phase consent to charge requirements (and as proposed at Annex A)?

I am concerned that Android malware could be used to exploit this method. Whilst it is true that such malware could be used to circumvent other veriication methods, there are many examples of malware being used send SMS from users handsets, so I believe it to significantly increase the risk of fraud.

While the industry refuses to accept that such methods ARE the cause of many of the consumer complaints, I am opposed to anything that opens an additional door for fraud. If consumer complaints were taken more seriously, I would have fewer concerns.

If the industry wishes to allow methods like this, which are demonstrably open to abuse and therefore present a higher risk, it needs to deal much more fairly with consumers who are defrauded as a result of such abuse.    

Q2. Does the addendum provide clarity on the proposed consequential amendments to the service-type specific sets of Special conditions and Notice of Specified Charges and Duration of Calls, required as part of the subscriptions review? Do you agree with the consequential amendments proposed within Annexes B to F? If not, please explain.

Yes

Q3. Do you agree with our approach as outlined at paragraphs 20 – 24 of the addendum? If not, please provide evidence that would support an alternative approach, and/or on any potential impacts of the approach currently being proposed.

Yes, it will simplify things for service providers if they only need to consult one set of special conditions.

Q4. The PSA welcomes feedback on the new receipting-based proposals set out in the proposed Special conditions.

The requirement to send a receipt each time a charge is incurred is a welcome improvement. Often consumers delete these texts as spam and then lack the details necessary to identify the originator of the charges. There is a greater chance of the texts being seen at an early stage if they correspond to each and every charge.