BT Agilemedia (Case reference: 184013)
| Case Number | 184013 |
| Published date | 28 May 2021 |
| Year | 2021 |
| Procedure Type | Adjudication by consent (Phone-Paid Services Authority) |
| Adjudicated Party | BT Agilemedia |
1
Case Report for BT Agilemedia
(Warning Notice Settlement)
Introduction
Background
The Phone-paid Services Authority (the ‘Executive’) conducted a ‘Track 2’ investigation into BT
Agilemedia (the ‘Network Operator’) which is one of the business units providing premium rate
services within British Telecommunications PLC.
The case concerned the adequacy of the Due Diligence, Risk Assessment and Control
(DDRAC) measures put in place by the Network Operator over approximately eight years. The
investigation conducted by the Executive assessed the adequacy of the Network Operator’s
DDRAC processes, in particular the DDRAC undertaken in relation to a number of the
Network Operator’s clients (referred to as Providers A-G in this case report).
The Executive became aware of potential concerns surrounding DDRAC conducted by the
Network Operator following its response to a direction for information in relation to a Track 2
investigation into one of its clients, Provider A. The investigation into Provider A began
following a complainant report the Executive received from a consumer.
The consumer’s report suggested Provider A may have been operating premium rate numbers
without being registered with the Executive. The Interactive Voice Responses (IVRs) and
website promotions for the service operated by Provider A contained information which
suggested that Provider A was operating multiple 09 number ranges. However, it became
apparent during the investigation that the Network Operator had not actually allocated any
premium rate numbers to Provider A and that the IVRs and website promotions were
therefore incorrect.
The Network Operator confirmed that all the services have always been allocated to a
different legal entity, Provider B. The Network Operator also stated “…[Provider A] was
established with the intention of transferring half of the serv ices from [Provider B], however this is yet
to be implemented. Provider A subsequently became dormant in 2012.” and “As we still have not
received a request to transfer services we did not commence the ex pected due diligence on [Provider
A].”
Provider A and Provider B were parties in a jointly signed contract with the Network Operator,
however only Provider B was registered with the Executive at the time of the complaint.
During the investigation Provider B updated its IVR messages and website promotions to
remove any reference to Provider A. As a result of this no further action has been taken by the
Executive at this time in relation to Provider A.
2
In the Network Operator's formal response to the direction of 7 November 2019, it evidenced
that it had conducted its own internal investigation into the DDRAC for both Providers A and
B, which it shared with the Executive.
In relation to Provider A, it stated “As outlined to you in our email of 15 November 2019 we
discovered that we had not completed the due diligence risk and control s (“DDRAC”) on Provider A as
per Section 3.3.1 of the Code.”
The Network Operator was forthcoming with its findings and disclosed it had discovered the
existence of a third commercial relationship with Provider C which it was previously unaware
of. The Network Operator admitted there were also deficiencies in its DDRAC process in
relation to Provider C.
Additionally, the Network Operator’s submissions highlighted the following further potentially
serious concerns to the Executive:
• the Network Operator’s DDRAC policy document entitled “12th Code PSA Agilemedia
ongoing monitoring process” related to the 12th version of the PSA Code of Practice and
its “Pre-Contract Due Diligence requirements for 09xx” document related to an even
earlier version of the Code. The Network Operator did not state which edition of the
Code it related to and it was not evident from the documentation how old the process
was.
• DDRAC records had been saved on individual employee laptops and were not
transferred to central filing systems. When the employees left the company, the
laptops and the data were subsequently destroyed.
• the Network Operator’s risk control spreadsheet contained only one entry and it did
not contain any historic data due to the process of data being overwritten by the latest
audit.
Given the nature of the Network Operator's submissions, the Executive became concerned
that the issues identified above (relating to the DDRAC carried out in respect of Providers A, B
and C) could be indicative of wider systemic issues in relation to the level of DDRAC
performed by the Network Operator across all of its clients. To investigate this and examine
the seriousness of the potential breaches, the Executive allocated the case to a Track 2
investigation.
The Executive’s investigation
The Executive broadened the scope of the investigation to include a sample selection of five
additional providers to establish whether any potential DDRAC breaches were confined to
Providers A, B and C, or whether there were wider systemic failings in relation to the DDRAC
carried out by the Network Operator.
The Executive selected the five additional sample providers (Providers D-E) which were varied
by service type and registration information. The Executive’s aim in doing this was to establish
the extent, duration and severity of the potential DDRAC failings.
3
The Executive found that Providers D and E had not been in a commercial relationship with the
Network Operator since 2013 and 2014 respectively. This was not apparent from the
registration information at the time of selecting the sample providers. Given the time that had
elapsed since these two providers were in a commercial relationship with the Network
Operator, the Executive based its conclusions primarily on the information gathered in
relation to the other six providers.
At the conclusion of the investigation, the Executive raised the following breaches in respect of
the 12th, 13th and 14th editions of the PSA Code of Practice (the “Code”):
Breach 1 - Paragraph 3.3.1 Due Di ligence (12th, 13th and 14th editions of the Code;
“All Network operators and Level 1 providers must perform thorough due diligence on
any party with which they contract in connection with the provision of PRS and must
retain all relevant documentation obtained during that process for a period that is
reasonable in the circumstances”
Breach 2 - Paragraph 3.1.3 Risk Assessment 12th, 13th and 14th edition of the Code;
“Assess the potential risks posed by any party with which they contract in respect of:
(a) the provision of PRS; and
(b) the promotion, marketing and content of the PRS which they provide or facilitate
and take and maintain reasonable continuing steps to control those risks”
Breach 3 - Paragraph 3. 1.3 Risk Control 12th, 13th and 14th edition of the Code states;
“Assess the potential risks posed by any party with which they contract in respect of:
(a) the provision of PRS; and
(b) the promotion, marketing and content of the PRS which they provide or facilitate
and take and maintain reasonable continuing steps to control those risks”
Summary of the Network Operator’s engagement
The Network Operator engaged fully with the Executive’s investigation at all stages. In
particular, the Executive noted that the Network Operator had provided full and frank
disclosure regarding the inadequacies of its DDRAC processes in the context of the Track 2
investigation into Provider A, which was prior to the Executive’s investigation into the
Network Operator. The Executive observed for example that in response to a formal direction
for information sent by the Executive on 24 December 2019, the Network Operator
responded as follows:
“We take the above matters very seriously. As a result, we are looking at a wider, wholesale review of
DDRAC in relation to these services and the implementation of a DDR AC improvement plan.”
The Network Operator also confirmed at an early stage that it intended to review its current
DDRAC process as a whole and intended to create an improvement plan by mi d-January 2020.
On the 20 March 2020, in response to the Executive’s first direction under the Track 2
procedure against the Network Operator, the Network Operator confirmed that it had
conducted a full assessment in relation to its procedures in the following areas:
To continue reading
Request your trial