Built for B2B from day one.
Every regulator that touches a UK telecoms provider - listed, mapped, mitigated. Procurement, security, legal and compliance buyers can see exactly where we stand, the risks we've considered, and the lawful exemptions we use to keep cost and friction low without removing customer protection.
It's only as confusing as you want it to be.
The UK telecoms regulatory surface is large - but most of it falls into one of three buckets: mandatory, aligned, or deliberately out of scope. We focus B2B above the microbusiness threshold, structure contracts to stay outside FCA consumer-credit rules, and never bill premium-rate. That single posture removes the heaviest clocks from the GCs and the entire CONC, PSA and FOS surface.
What's left is genuinely simple: hold the security line (NIS2, TSA, NCSC CAF), keep the data clean (UK GDPR, PECR), and run the books straight (HMRC reverse charge). All of that is enforced as code in the platform - not as policy in a binder.
Every body that has a say.
UK regulators on the front line, EU regulators on the partner side (via Mobifon), and the cross-industry standards we hold ourselves to. Click any card for the duties, our position, the risks they introduce, and the exemption levers we use.
Every risk we've considered - and what catches it.
Charge-backs, bill-shock, port-out fraud, SS7 abuse, subprocessor failure, NIS2 clocks, lawful-intercept demands. Each row is mapped to a mitigation already actioned in the platform.
| Risk | Category | Likelihood | Impact | Mitigation | Status |
|---|---|---|---|---|---|
Card charge-backs / disputed payments Layer 22 money-path guard · /app/audit | Financial | medium | medium | Stripe Radar + 3DS2 SCA on every card auth · B2B accounts use PO/invoice with signed acceptance log · friendly-fraud rebuttal pack auto-assembled from the audit chain (delivery receipt, login trail, usage record). | Mapped |
Bill shock / unexpected overage Layer 22 · plan policy in /app/wallet-ledger | Reputational | low | high | No overage by design - every plan is a hard cap that throttles, never bills extra. Pre-paid wholesale on the carrier side means we cannot be surprise-billed by Mobifon either. | Mapped |
Service outage / SLA breach Layer 8 health probes · abel_pentest_runs | Operational | low | high | Multi-IMSI failover (live), partner SLA pass-through to Mobifon NOC, automated service-credit issuance from CDR gap detection. | Mapped |
Roaming surprise charges Layer 12 sovereignty router | Financial | low | medium | Allied-roaming only (FVEY + EU/EEA), pre-paid roaming bundles, geo-fence push alerts before threshold, hard cap stops session at limit. | Mapped |
SS7 / Diameter abuse on inbound signalling Layer 4 signalling · /app/abel/overview | Security | medium | high | Live edge inspection of signalling (twin in demo, partner-side in prod), STIR/SHAKEN A-attestation on all originated calls, GSMA FS.11/FS.19 baseline. | Mapped |
SIM-swap / port-out fraud Layer 14 step-up · Layer 23 chain | Security | medium | high | Admin-gated port-out + step-up auth + 24h cool-off on business lines · device attestation required to re-bind SIM · all attempts logged to the hash-chained audit. | Mapped |
Lawful-intercept demands Layer 25 forensic replay | Legal | low | high | ETSI LI compliant interface, single named liaison (li-liaison@boundless.tel), every warrant request signed and recorded to the audit chain - no off-the-record taps possible. | Mapped |
Subprocessor failure (Mobifon, Stripe, Supabase, Cloudflare) Layer 26 continuous compliance export | Operational | low | high | DPIA on file for every subprocessor · documented exit plan with data-export format · Mobifon multi-IMSI fallback · Stripe → fallback to Direct Debit / invoice. | Mapped |
GDPR DSAR / right-to-erasure overload Layer 11 lawful-basis · /app/audit | Regulatory | low | medium | Automated DSAR endpoint with 24h SLA timer · proof-of-deletion signed and chain-anchored · per-record lawful-basis tag means scope is unambiguous. | Mapped |
NIS2 24h incident-reporting clock Layer 26 · exportComplianceBundle | Regulatory | low | high | Auto-emitted incident pipeline within 60 minutes of detection - well inside the 24h legal window - with signed evidence bundle ready for the regulator. | Mapped |
Consumer credit / BNPL exposure (avoided) FCA CONC App 1 · contract structure | Regulatory | low | high | We do NOT offer regulated credit. Monthly rolling, pre-paid wholesale, no deferred payment > 12 months → outside CONC scope · no FCA permission required. | Mapped |
Premium-rate billing (avoided) PSA scope · billing policy | Regulatory | low | medium | We do not bill third-party premium services. PSA Code of Practice does not apply. Inbound premium-rate calls are routed but not collected on our bill. | Mapped |
Financial-promotion breach on $BNDL marketing FSMA s.21 · /token gate · audit chain | Regulatory | low | high | Every token-related communication is signed off by an FCA-authorised person under FSMA s.21 before publication. Investor-categorisation gate on /token (high-net-worth, sophisticated, or restricted-investor self-cert). No celebrity endorsements. 24h cooling-off on first investment. Signed copy + categorisation evidence chained to Layer 23. | Mapped |
$BNDL recategorised as security / CIS / cryptoasset Legal opinion · token.functions · HMRC CRYPTO22050 | Legal | low | high | Standing legal opinion on file: $BNDL is a fractional ordinary-equity instrument, not a unit in a collective investment scheme (no pooling for return), not a cryptoasset under MLR Reg. 14A (no DLT-as-medium-of-exchange), and not a transferable security on a secondary market pre-IPO. Treasury cash-backed; CGT-only tax treatment confirmed against HMRC CRYPTO22050 / share-pool rules. | Mapped |
Wallet balances cross the e-money definition PSR Sched 1 §2(k) · Stripe e-money licence · wallet_ledger | Regulatory | low | high | Wallet is internal scrip: redeemable 1:1 against Boundless services (limited-network exemption, PSR 2017 Sched 1 Pt 2 §2(k)) plus an explicit £10k per-user cap. Cash-out is processed through Stripe Connect - Stripe is the licensed e-money issuer, we are an agent. Balance ledger is append-only and reconciled per ledger entry. | Mapped |
Advocate-payout abuse for layering / money-laundering Stripe Connect KYC · MLR 2017 Reg 28 · referral_payouts trigger | Legal | low | high | Every payout name-matched to bank account by Stripe Connect KYC, sanctions-screened on each disbursement, capped at £1k per advocate per month without enhanced due diligence. Single named MLRO (mlro@boundless.tel). All payout state changes auto-audited via handle_payout_status_change trigger. | Mapped |
Advocate awards reclassified as employment income ITTOIA 2005 s.783A · advocate T&Cs · /app/wallet-ledger | Regulatory | low | medium | T&Cs explicit 'introducer, not employee'. Per-payee structured to fit the £1,000 trading-allowance and the £6k CGT allowance for any token component. Annual statement (CSV + PDF) downloadable from the wallet ledger, mirroring 1099-style reporting for HMRC. Advocate self-certifies tax status at sign-up. | Mapped |
Chargeback / first-party fraud on top-up or withdrawal Stripe Radar · Stripe Connect · Layer 23 | Financial | low | medium | Top-ups go through Stripe Radar with 3DS2 SCA. Withdrawals are KYC-gated by Stripe Connect Express. Boundless never custodies funds end-to-end - Stripe is the regulated money-handler. Chargeback rebuttal pack auto-assembles from Layer 23 audit chain. | Mapped |
PSD2 Strong Customer Authentication failure on movement of funds PSR 2017 Reg 100 · Stripe SCA · Layer 14 | Regulatory | low | medium | All card payments go through Stripe with 3DS2 SCA enforced by default. Step-up auth (biometric or OTP) required on wallet movements >£100. Inherence + possession factors logged to the audit chain. | Mapped |
User-side HMRC reporting on referral or token gains /app/wallet-ledger · HMRC SA guide · CRYPTO22050 | Reputational | low | low | In-app annual statement (PDF + CSV) downloadable from /app/wallet-ledger covering: referral income vs £1k trading allowance, token disposals vs £3k (24/25) / £6k (prior) CGT allowance, and any token-as-income event valued at GBP-spot. Plain-English HMRC-self-assessment guide linked. | Mapped |
Cheapest path, lawfully.
Every lever we lawfully pull to reduce regulatory cost without reducing customer protection. Citations are publicly available regulatory text.
low effort
Steering enterprise revenue above the microbusiness threshold removes most of the consumer-protection clock count without removing any actual customer protection - those buyers are procurement-led, not Ofcom-led.
low effort
Stay Tier 3 for the first 24 months - same security posture (we already exceed Tier 1 controls), one tenth of the reporting overhead.
low effort
B2B marketing pipeline runs on legitimate-interest soft opt-in. Removes the cost of a consent-management platform for the B2B surface entirely.
low effort
For Mobifon-originated CDR data we are processor, not controller. Controller-level DPIA cost stays with Mobifon.
low effort
All retail contracts structured this way → zero FCA permission cost, zero ongoing supervision fee, no FOS exposure.
low effort
Removes ~£40k/yr cash-flow drag on wholesale traffic with Mobifon.
low effort
B2B contracts can include genuine pre-estimate liquidated damages, longer notice, broader limitation - without falling foul of the unfair-terms test.
low effort
Removes PSA registration fee, levy, and complaint-handling overhead permanently.
low effort
B2B customers above the microbusiness threshold resolve disputes through commercial channels. Removes the per-case ADR fee on enterprise.
low effort
No content-moderation team needed on the consumer surface.
low effort
Until we hit that threshold we are 'important' rather than 'essential' - same security outcomes, lighter supervisory regime.
low effort
Tokenised tranche stays inside the small-issue exemption pre-IPO. No FCA-approved prospectus required, no UKLA listing fee.
low effort
Engage an authorised firm to approve all token financial promotions instead of seeking our own Part 4A permission.
low effort
Wallet is redeemable for Boundless airtime/services only, with cash-out routed through licensed Stripe rails. Removes the FCA Authorised E-Money Institution permission cost.
low effort
We never custody funds end-to-end. Stripe is the regulated money-handler; we provide the window. Removes the cost of becoming an authorised payment institution ourselves.
low effort
Removes the FCA cryptoasset registration cost (~£40k/yr supervisory fee + ongoing AML overhead).
low effort
Stripe is FCA-authorised under the MLRs. We rely on Stripe Connect for advocate KYC, removing the cost of building/operating our own CDD onboarding pipeline.
low effort
FOS levy + per-case fee (£650+) avoided on the wallet/payments surface.
low effort
Stripe Elements + iframe checkout means no PAN ever hits our server. Annual QSA cost avoided (~£35k).
Why B2B is the sharper edge.
Side-by-side on every regulatory clock and commercial lever. Not a value judgement - a clear-eyed read of where the friction sits.
| Axis | B2B | B2C | Edge |
|---|---|---|---|
| Ofcom consumer-protection clocks | Above microbusiness threshold → most clocks do not apply | All GC C-series clocks apply (switching, EOC notices, price-rise consent) | B2B-favoured |
| ADR / Ombudsman jurisdiction | Out of scope above microbusiness threshold - commercial dispute route | Mandatory Ombudsman membership + per-case fee (~£350 each) | B2B-favoured |
| Refund liability (CRA 2015) | Freedom of contract - bespoke remedies | Statutory short-term right to reject + repair/replace ladder | B2B-favoured |
| PECR marketing | Soft opt-in (legitimate interest) → no consent UI cost | Prior consent required → consent-management platform needed | B2B-favoured |
| FCA consumer credit (CONC) | Out of scope - business contract | Out of scope IF kept under 12-month no-interest deferment (we do) | neutral |
| Online Safety Act duties | Not applicable | Not applicable to mere-conduit comms | neutral |
| Vulnerable-customer policy | Out of scope | Mandatory - extra cost per acquisition | B2B-favoured |
| Charge-back exposure | Low - invoice + PO + signed acceptance | Medium - Stripe Radar + 3DS2 SCA needed | B2B-favoured |
| Average revenue per customer | £600–£40,000+ /yr | £120–£480 /yr | B2B-favoured |
| Acquisition cost | Higher per deal, longer sales cycle | Lower per customer, mass-market channel cost | neutral |
| Brand / advocacy flywheel | Slower - referenceable case studies | Faster - family pack + word of mouth | B2C-favoured |
We provide the window. Stripe provides the safe.
Card-in to bank-out, the regulated money-handler is Stripe - PSD2-licensed, FCA-authorised payment institution, PCI-DSS Level 1. Boundless holds a hash-chained ledger, never the cash itself. That posture covers the $BNDL token, the wallet, and advocate payouts in one architectural move.
We provide the window. Stripe provides the safe.
Want this in a procurement pack?
We'll send the full evidence bundle - regulator-by-regulator, with signed Abel chain references - to your CISO, DPO or procurement lead.