Ofcom’s Global Title Existing-Lease Ban Takes Effect 22 April 2026: What MNOs, MVNOs and Enterprise Lessees Should Do This Week
In short: Ofcom’s ban on existing third-party leases of Global Titles takes effect on Wednesday 22 April 2026. Only two narrow migration journeys are extended to 22 October 2026. UK mobile network operators and enterprise lessees of Global Titles, including messaging aggregators and CPaaS providers, must confirm their signalling path complies from that date. Fintechs and banks should ask their messaging supplier whether any part of the SMS authentication path has used a leased Global Title.
Ofcom’s twelve-month transition period for existing leases of Global Titles to third parties ends on Wednesday 22 April 2026. From that date, mobile network operators can no longer provide a leased Global Title to a third party except where the arrangement falls within one of two narrow migration journeys Ofcom extended to 22 October 2026. The rule affects mobile network operators, mobile virtual network operators, enterprises consuming leased Global Titles through intermediaries, and the broader base of financial institutions whose SMS authentication and location services rely on the underlying signalling layer. This note sets out what ends, what has been extended and what each affected party should do before the cut-off.
Ofcom’s rules that takes effect on 22 April 2026
Ofcom’s Statement Global Titles and Mobile Network Security, published on 22 April 2025, imposed an immediate ban on new third-party leases of UK Global Titles, set a twelve-month transition period for existing third-party leases ending 22 April 2026, and extended that transition to 22 October 2026 for two specified migration journeys. The Statement followed a 2023 consultation and an updated consultation in 2024 in response to sustained evidence of signalling misuse, including SMS interception, unauthorised location tracking and A2P messaging bypass.
The regulatory instruments sit across three layers. First, Ofcom amended General Condition B1 (numbering) and introduced a new Non-Provider Numbering Condition that captures operators holding UK mobile numbers outside the General Conditions. Second, Ofcom amended the National Telephone Numbering Plan under section 60(3) of the Communications Act 2003. Third, the persistent misuse regime in sections 128 to 130 of the Communications Act 2003 remains the enforcement backstop where misuse continues after the cut-off, with penalties of up to £2 million per contravention under section 130 and the ancillary powers in section 129 (enforcement notifications). Ofcom’s Annex 6 Guidance for Number Range Holders, also dated 22 April 2025, explains the operational steps expected of providers.
What a Global Title is, and why the signalling layer matters
A Global Title is the signalling-network equivalent of a dialable phone number. It is an E.164-format address used in SS7 and Diameter signalling to route mobile control-plane traffic (the messages that set up calls, deliver SMS, query subscriber location and handle roaming handovers) between networks. In UK practice, Global Titles are allocated from the blocks of mobile numbers assigned to licensed mobile operators. Operators use their own Global Titles to run their networks. Over time a secondary market emerged in which operators leased Global Titles to third parties for services such as SMS routing, home location register lookups, A2P messaging delivery and commercial location services. It is that lease market Ofcom has now closed.
The signalling layer carries no meaningful end-to-end authentication. A third party with a leased Global Title appears to the global SS7 network as the operator itself. Ofcom’s evidence base documents three recurring abuse vectors. First, interception of SMS one-time passcodes: an attacker uses signalling access to reroute the SMS carrying a login or payment authentication code to a device under its control. Second, covert location tracking of mobile subscribers through home location register queries. Third, unlawful application-to-person messaging bypass, in which commercial bulk traffic is injected at the signalling layer to evade operator termination rates. All three vectors are difficult to detect at the access layer because they exploit a legitimate signalling path.
The one-time passcode vector is the most consequential for UK firms. When a bank or payment service provider asks a customer to authenticate a login or transaction, the second factor is often a six-digit code sent by SMS. The message travels from the sender through a messaging aggregator and onto the destination mobile operator’s network. If an attacker can intercept that message through signalling-layer access, two-factor authentication collapses into single-factor authentication. Documented incidents include the 2017 attack on O2 Germany customers that drained bank accounts, the 2019 Metro Bank SS7 incident in the United Kingdom, and multiple crypto-exchange account takeovers. Closing third-party Global Title leases removes the most common signalling-layer route into the SMS authentication path.
Compliance steps before 22 April 2026
Four audiences carry the migration burden. The compliance position differs by role.
Mobile network operators must audit all current Global Title allocations, identify every lease to a third party and confirm that each has been terminated, migrated to an in-house allocation or documented as falling within one of the two extension-eligible migration journeys. Operators should retain the audit trail, the migration contracts and the board-level sign-off papers. The primary enforcement route is the General Conditions regime under sections 94 to 100 of the Communications Act 2003 for breach of amended GC B1 and the Non-Provider Numbering Condition, with penalties of up to 10 per cent of relevant turnover. The persistent misuse regime in sections 128 to 130 is a second, parallel route where abuse continues after the cut-off.
Mobile virtual network operators are not the direct subject of the rule, but each should write to its host MNO asking for written confirmation that no third-party-leased Global Title has been used for MVNO signalling. MVNO commercial teams should also review wholesale access agreements for indirect exposure, particularly where the MNO has sub-contracted signalling functions.
Enterprise lessees of Global Titles, including specialist CPaaS providers and messaging aggregators, must identify every service that depends on a leased Global Title, and evaluate three options: an in-house Global Title allocation (available only to providers of public electronic communications networks and services), a direct commercial arrangement with an MNO under one of the Ofcom-approved models, or migration to an alternative signalling arrangement. The in-house route is not a realistic option for most enterprises.
Fintechs and banks are affected indirectly, through their messaging suppliers. Many firms treat SMS one-time passcodes as a commodity delivered by an aggregator, with little visibility of the underlying signalling path. Each firm should ask its aggregator whether any element of its SMS authentication path has depended on a leased Global Title, and, if so, what the migration arrangements are. The exercise should sit alongside a wider review of whether to retain SMS OTP as a primary authentication factor or migrate to app-based or passkey authentication.
Commercial and operational consequences
Migration has three cost centres. First, the direct commercial cost of moving services to in-house MNO signalling arrangements, which will be reflected in wholesale pricing. Second, the disruption cost of any SMS OTP or location service that fails during migration, with the risk concentrated in the week either side of 22 April 2026. Third, the legal cost of reallocating liability under master service agreements drafted without contemplation of a regulator-mandated signalling change.
Insurance and fraud-loss allocation deserve particular attention. Where an MSA allocates SMS fraud losses by reference to the aggregator’s signalling path, the change in signalling model alters the risk allocation. Firms should read fraud-loss, indemnity and force-majeure clauses together and consider a short-form variation. International roaming and cross-border signalling are unaffected by the UK rule. Operators and enterprise customers should track parallel work by the GSMA Fraud and Security Group, ENISA, Finland’s TRAFICOM and Germany’s BNetzA, any of which could follow with analogous signalling controls.
Viewpoint
The Global Title leasing ban and the messaging General Conditions regime covered in our recent note on Ofcom’s messaging scams enforcement priorities are two parts of the same regime, closing on the same SMS fraud pipeline inside ninety days. The practical message for clients is that SMS as a trust channel is being re-engineered, not abandoned. Signalling is moving to a closed model in which only licensed operators hold Global Titles, messaging is moving to a filtered model in which aggregators carry compliance obligations, and fintech architectures that depend on either path need to be reviewed with both in mind. In my experience the single most common failure mode is treating SMS as a commodity that the supplier manages. From 22 April 2026, that position is no longer tenable for any firm regulated in the UK.
Links
Ofcom, Statement: Global Titles and Mobile Network Security (22 April 2025). Ofcom, Annex 6: Guidance for Number Range Holders to Prevent Misuse of Global Titles (22 April 2025). Communications Act 2003, section 128, section 129, section 130, and section 60 (Numbering Plan). Ofcom, General Conditions of Entitlement.
If you would like a compliance review of your signalling arrangements, SMS authentication path or underlying contracts before the 22 April 2026 cut-off, contact Rob Bratby at Bratby Law.
