Code of Practice

This Section sets out how the PSA will carry out its supervisory role and how this role is intended to support PRS providers to achieve and maintain compliance with the Code.

Supervision involves the PSA’s ongoing oversight of PRS providers and services in order to achieve and maintain compliance with the Code so as to prevent, or reduce, actual and potential harm to consumers and the market. The PSA’s oversight will be achieved through supporting and monitoring compliance with the Code’s Standards and Requirements.

In carrying out its supervisory activities, the PSA will analyse information it gathers itself and receives from others. The PSA may use risk management and other relevant frameworks it publishes from time to time, to enable it to prioritise its supervisory activities so as to support compliance with the regulatory Standards and Requirements set out in Section 3 of this Code as effectively as possible.

In order to enable the PSA to ensure continued compliance with the Code and to prevent consumer harm, its approach to supervision will consist of three main types of activity:

1. proactive – to identify non-compliance with the Code and consumer harm pre-emptively (which will inform regulatory priorities and activities) through ongoing review and assessment of PRS providers and the services they offer;
2. reactive – to spot emerging issues of non-compliance or issues of non-compliance that have recently arisen so as to enable timely and targeted regulatory action to take place which prevents harm from growing; and
3. thematic – to undertake wider diagnostic or remedial work in respect of the provision, content, promotion and marketing of PRS where similar or connected instances of non-compliance with particular provisions of this Code, or of actual or potential harm to consumers, have arisen in relation to a number of PRS providers and/or services.

When performing its supervisory activities, the PSA will have regard to the following principles: 

1. evidence-based judgement -The PSA will make judgements based on evidence and analysis. It will determine the appropriate course of action based on its assessment of, and consideration of any risks posed by, regulated services or service types, individuals, organisations or industry sectors.
2. forward-looking - In assessing any risks, the PSA will also consider the likelihood of any potential future consumer harm. In particular, the PSA will take account of the need for, or benefits of, early intervention in order to prevent or minimise the occurrence of any such harm.
3. focused on risk of consumer harm - The PSA will prioritise its monitoring of issues and PRS providers that pose the greatest risk of harm to consumers. Accordingly, the extent and frequency of supervision conducted by the PSA may increase in line with the risk of consumer harm or detriment that is posed by a particular issue or PRS provider.
4. co-operation - The PSA will work in an open and co-operative way when carrying out its supervisory activities. It will expect PRS providers to co-operate and engage fully to enable effective supervision to take place.

The PSA will supervise by monitoring compliance with the Code in order to achieve the following aims:

1. to assess levels of compliance with the Code by PRS providers and/or particular PRS market sectors;
2. to enable the prompt identification of any actual or potential non-compliance with the Code;
3. to proactively address any actual or potential non-compliance with the Code;
4. to prevent or reduce the risk of actual or potential harm to consumers from non-compliance with the Code; and/or
5. to ensure that the PSA has sufficient information to take informed decisions enabling it to carry out its regulatory functions effectively.

In support of the aims of this Section of the Code, the PSA may take proportionate steps to monitor compliance with the Code. Such steps will include the undertaking of information-gathering activities where the PSA considers that such activities are reasonable and proportionate in order to achieve one or more of the purposes of compliance monitoring set out at paragraph 4.2.4 above. The information-gathering activities that the PSA may conduct are as follows:

1. assessing complaints and other intelligence;
2. requiring audits in accordance with paragraph 4.4 below;
3. requiring the periodic reporting of data and information in accordance with paragraph 4.5 below;
4. targeted information-gathering where this is considered necessary and proportionate in order to achieve one or more of the aims of compliance monitoring as set out at paragraph 4.2.4 above, including by issuing directions for information in accordance with paragraph 6.1 below;
5. carrying out thematic reviews of the provision, content, promotion and marketing of PRS, where the PSA has reason to believe that there may be common or pervasive issues regarding compliance with particular Standards, Requirements and/or other obligation of the Code and using any or all of the compliance monitoring methods set out at paragraphs 4.4-4.6 and information-gathering under paragraph 6.1 below;
6. requiring the provision of skilled persons reports in accordance with paragraph 4.6 below;
7. engaging with PRS providers under Section 5 of this Code, and in particular under paragraphs 5.1-5.3 below; and
8. conducting pre-arranged visits (by consent) to the premises of PRS providers.

Where the PSA is required to provide written notice, under paragraphs 4.4.2, 4.5.2 or 4.6.2 below:

1. it will identify within that notice the purpose(s) under paragraph 4.2.4 above for which the compliance monitoring is being undertaken; and
2. it will also include within that notice a brief explanation of the reason(s) why it considers that the particular activities it has chosen to undertake are reasonable and proportionate in order to achieve the identified purpose(s).

Any written notice or direction issued by the PSA under this Section of the Code will be effective immediately upon being sent by email to an email address provided by the relevant PRS provider for registration with the PSA. If written notice or a direction is sent by the PSA by first class pre-paid post to an address provided by the relevant PRS provider for registration with the PSA, then it will be effective on the second working day after postage.

Where the PSA’s compliance monitoring activities uncover potential or actual non-compliance with the Code which creates a risk of harm or actual harm for consumers, the PSA may engage with any relevant PRS provider(s) in one or more of the manners specified in paragraph 5.1 below. A relevant PRS provider for these purposes will be a PRS provider that, in the PSA’s opinion, is reasonably likely to possess further relevant information about, or is otherwise directly or indirectly connected with, the potential or actual non-compliance.

Any failure to comply with the requirements set out at paragraphs 4.4-4.6 below will constitute a breach of the Code.

For the purposes of supervision under Section 4 of this Code, the PSA may require a PRS provider to submit an audit report annually or periodically as the PSA may specify.

When it requires an audit report, the PSA will give the relevant PRS provider written notice. The PSA may require the report to be in a form specified in the notice and may require the report to address any matters specified in the notice. The PSA will issue guidance from time to time setting out a non-exhaustive range of matters that an audit report may be required to address.

Audit reporting must commence on the date specified by PSA in the notice and continue until the relevant PRS provider is notified by the PSA that such reports are no longer required.

The person(s) making the audit report must be person(s) nominated or approved by the PSA prior to the audit taking place. In order to be nominated or approved by the PSA, such person(s) must appear to the PSA to have the knowledge, experience and skills necessary for the task of conducting a reliable audit.

For the purposes of supervision under Section 4 of this Code, the PSA may require a PRS provider to periodically report data and information. The PSA will issue guidance from time to time setting out a non-exhaustive range of data and information that the PSA may require in periodic reports and notifications under this paragraph.

When it requires the periodic reporting of data and information, the PSA will give the relevant PRS provider written notice. The notice:

1. will specify the data and information that must be reported;
2. may require the reporting to take any form specified in the notice; and
3. will set out briefly the reasons why the specified data and information is required.

Periodic reporting must commence on the date specified by PSA in the notice and continue until the relevant PRS provider is notified by the PSA that periodic reporting is no longer required.

For the purposes of supervision under Section 4 of this Code, the PSA may:

1. require a PRS provider to produce a report for the PSA on any matter relating to the provision of PRS to which, in the reasonable opinion of the PSA, that PRS provider appears to be connected, whether directly or indirectly; or
2. appoint a person to produce a report for the PSA on any matter relating to the provision of PRS.

A skilled persons report will be suitable for matters that require specific expertise, including (but not limited to) technical issues related to platform security and payment platforms.

When it requires a report under paragraph 4.6.1(a) above, the PSA will give the relevant PRS provider written notice. The PSA may require the report to be in a form specified in the notice.

A person appointed to produce a report under paragraph 4.6.1(a) above must be a person appearing to the PSA to have the skills necessary to produce a report on the matter concerned, and must be a person nominated or approved by the PSA.

Where the PSA appoints a person under paragraph 4.6.1(b) above, it will give the relevant PRS provider written notice of the appointed person.

The relevant PRS provider must give the appointed person all such assistance as he or she may reasonably require.

Where it is appropriate the PSA may direct the relevant PRS provider to pay any reasonable expenses incurred by the PSA in relation to an appointment made under paragraph 4.6.1(b).