Ofcom - the honest read

It's only as confusing as you want it to be.

We've heard the feedback that "Ofcom is an issue" and that "B2C is too risky." Both statements are partially true and mostly tractable. Here, in plain English, is what Ofcom actually regulates, why we lead with B2B, and the specific guardrails that keep our consumer surface tiny, safe and lawfully exempt from the heaviest clocks.

What Ofcom does regulate

- General Conditions of Entitlement (GCs) - contract, switching, 999/112, EOC notices.
- Telecoms Security Act 2021 + Code of Practice - Tier 1/2/3 security duties.
- Numbering plan, portability, MAC codes.
- Scam-text and CLI-spoofing duties.
- EECC consumer-protection clauses for residential customers and microbusinesses.
- Net neutrality and traffic management (with BEREC).

What Ofcom does not regulate

- Consumer credit - that's the FCA. We deliberately stay outside CONC.
- Premium-rate billing - that's the PSA. We don't bill premium services.
- Data protection - that's the ICO. We map separately.
- User-to-user content moderation - that's the Online Safety Act, and only for U2U services. We're a connectivity provider.
- B2B contract terms above the microbusiness threshold - most consumer clocks don't apply.
- Tax - that's HMRC. Reverse charge handles wholesale.

Balanced scales of justice - what Ofcom regulates and what it does not

Why we lead with B2B

Same network. Different regulatory clocks.

The microbusiness threshold (≤10 employees, ≤€2m turnover) is the line where most consumer-protection clocks stop applying. Above that line, we're regulated like an enterprise vendor - procurement-led, contract-led, commercially negotiated. That removes Ofcom's heaviest casework categories without removing any actual customer protection from the people who buy from us.

Axis	B2B exposure	B2C exposure	Edge
Ofcom consumer-protection clocks	Above microbusiness threshold → most clocks do not apply	All GC C-series clocks apply (switching, EOC notices, price-rise consent)	B2B-favoured
ADR / Ombudsman jurisdiction	Out of scope above microbusiness threshold - commercial dispute route	Mandatory Ombudsman membership + per-case fee (~£350 each)	B2B-favoured
Refund liability (CRA 2015)	Freedom of contract - bespoke remedies	Statutory short-term right to reject + repair/replace ladder	B2B-favoured
PECR marketing	Soft opt-in (legitimate interest) → no consent UI cost	Prior consent required → consent-management platform needed	B2B-favoured
FCA consumer credit (CONC)	Out of scope - business contract	Out of scope IF kept under 12-month no-interest deferment (we do)	neutral
Online Safety Act duties	Not applicable	Not applicable to mere-conduit comms	neutral
Vulnerable-customer policy	Out of scope	Mandatory - extra cost per acquisition	B2B-favoured
Charge-back exposure	Low - invoice + PO + signed acceptance	Medium - Stripe Radar + 3DS2 SCA needed	B2B-favoured
Average revenue per customer	£600–£40,000+ /yr	£120–£480 /yr	B2B-favoured
Acquisition cost	Higher per deal, longer sales cycle	Lower per customer, mass-market channel cost	neutral
Brand / advocacy flywheel	Slower - referenceable case studies	Faster - family pack + word of mouth	B2C-favoured

And yet - we still serve consumers

Because the family pack is the advocacy flywheel.

The honest read on consumer mobile is that the unit economics are tight and the regulatory clocks are loud. We accept both. The consumer surface exists because the family pack and the referral mesh together drive the cheapest possible word-of-mouth acquisition into the B2B funnel - your accountant uses Boundless at home, then asks "can we put the office on this too?"

We keep the consumer surface tiny by removing the things that attract complaints in the first place: no overage, no mid-contract rises, no premium-rate billing, no consumer credit, hard caps, plain-English bills, ADR membership. What's left is a low-defect product that Ofcom rarely sees at all.

The full Ofcom card

Duties, position, risks, exemptions.

Same card you'll find in the regulator stack - pre-expanded for clarity.

Remit

UK communications regulator. Sets General Conditions of Entitlement (GCs), enforces the Telecoms Security Act, runs the consumer-protection regime for telecoms, manages the numbering plan, and supervises 999/112 access.

Duties that touch us

GC A1–A3Provision of public electronic communications networks/services and registration.
GC C1Contract requirements, transparency, and a binding 'no mid-contract price rise without consent' rule.
GC C2Switching: One-Touch Switch (OTS) for residential, MAC/text-to-switch for business mobile.
GC C5Free, uninterrupted access to 999/112 - even on barred or out-of-credit SIMs.
GC C6Must-offer, must-publish tariffs; end-of-contract notification.
TSA 2021 + Code of PracticeTier 1/2/3 security duties for telecoms providers; we sit comfortably in Tier 3 today.
EECC implementationConsumer-protection clauses ported into the GCs.
Scam-text dutiesBlock-on-suspicion + STIR/SHAKEN A-attestation.

Our position

We design every product to sit on the safe side of the GCs and exceed the TSA Code of Practice as a continuous property of the platform. Consumer-side surface is intentionally small (no overage, no credit, no premium-rate, hard caps) which keeps us out of Ofcom's high-risk caseload categories.

Live TSA conformance Audit chain (incident readiness) Continuous evidence export

Associated risks - and how they're already mitigated

Service outage / SLA breach
OperationalL:low·I:high
Mitigation in place: Multi-IMSI failover (live), partner SLA pass-through to Mobifon NOC, automated service-credit issuance from CDR gap detection.
Evidence: Layer 8 health probes · abel_pentest_runs
SS7 / Diameter abuse on inbound signalling
SecurityL:medium·I:high
Mitigation in place: Live edge inspection of signalling (twin in demo, partner-side in prod), STIR/SHAKEN A-attestation on all originated calls, GSMA FS.11/FS.19 baseline.
Evidence: Layer 4 signalling · /app/abel/overview
SIM-swap / port-out fraud
SecurityL:medium·I:high
Mitigation in place: Admin-gated port-out + step-up auth + 24h cool-off on business lines · device attestation required to re-bind SIM · all attempts logged to the hash-chained audit.
Evidence: Layer 14 step-up · Layer 23 chain
Vulnerable customer harm (B2C only)
ReputationalL:low·I:high
Mitigation in place: Vulnerable-customer flag on profile · automatic exemption from any price-rise notice clock · mandatory 999/112 call-through even on barred SIMs · plain-English bills only.
Evidence: Consumer policy · Ofcom GC C5
Mid-contract price rises (B2C only)
RegulatoryL:low·I:medium
Mitigation in place: We do not do CPI/RPI-linked rises. Price for the term is the price on the contract. Any change requires fresh consent + 30-day exit right.
Evidence: Ofcom GC C1.4 · pricing-promise PDF
Bill shock / unexpected overage
ReputationalL:low·I:high
Mitigation in place: No overage by design - every plan is a hard cap that throttles, never bills extra. Pre-paid wholesale on the carrier side means we cannot be surprise-billed by Mobifon either.
Evidence: Layer 22 · plan policy in /app/wallet-ledger

Exemption levers we lawfully use

B2B-first commercial focus
~£60,000 /yr · low effort
Ofcom GC C-series - most consumer-protection clocks apply to residential customers and microbusinesses (≤10 employees, ≤€2m turnover). B2B above the microbusiness threshold sits outside the heaviest clocks.
Steering enterprise revenue above the microbusiness threshold removes most of the consumer-protection clock count without removing any actual customer protection - those buyers are procurement-led, not Ofcom-led.
Tier 3 TSA classification
~£120,000 /yr · low effort
TSA 2021 Code of Practice - Tier 1 ≥£1bn turnover, Tier 2 ≥£50m, Tier 3 below. Tier 3 has the same security outcomes but lighter reporting cadence.
Stay Tier 3 for the first 24 months - same security posture (we already exceed Tier 1 controls), one tenth of the reporting overhead.

Read the rest of the regulatory canon.

Both deep-dives - B2B and Personal - list every regulator, every duty, every risk, and every exemption.