Ofcom’s mobile messaging scams consultation: what operators must do before summer 2026
In short: On 22 April 2026 Ofcom’s ban on leasing Global Titles comes into force for existing leases, closing the signalling route used to spoof UK mobile numbers from overseas. It is one half of an enforcement pincer. The other half is the consultation on new General Conditions for mobile messaging scams, which closed on 28 January 2026 with a final statement expected in summer 2026. The new General Conditions would impose volume limits on pay-as-you-go SIMs, Know Your Customer and Know Your Traffic duties on business message senders, and in-transit blocking obligations on mobile operators and aggregators.
On 22 April 2026 Ofcom’s ban on leasing Global Titles comes into force for existing leases. That closes the SS7 and Diameter signalling route used to impersonate UK mobile numbers from overseas. It is the first of two Ofcom instruments closing on the SMS fraud pipeline this year. The second is the consultation on new General Conditions targeting mobile messaging scams, which closed on 28 January 2026 with the final statement expected in summer 2026. The proposals would add prescriptive General Conditions binding mobile network operators (MNOs), mobile virtual network operators (MVNOs) and messaging aggregators. They introduce volume limits on pay-as-you-go SIMs, mandatory Know Your Customer (KYC) and Know Your Traffic (KYT) checks on business message senders, and in-transit blocking duties. The operational effect is material. The commercial consequences run through wholesale messaging prices, sender ID allocation and aggregator agreements.
The regulatory framework for mobile messaging scams
Ofcom regulates UK mobile messaging under the Communications Act 2003. Under section 32 of the Communications Act 2003, Ofcom may set General Conditions of Entitlement that bind every provider of a public electronic communications network (PECN) or public electronic communications service (PECS) as defined in section 151(1). General Conditions bind communications providers by operation of law. Under section 128, Ofcom may notify a person it determines to have persistently misused a network or service. Where representations do not produce remedial action, Ofcom may issue an enforcement notification under section 129 and impose a penalty of up to £2 million under section 130. Ofcom’s information-gathering powers under section 135 support investigation.
The existing General Conditions, consolidated in 2018, cover number portability and switching (GC B1-B3) and consumer protection in contracts (GC C1-C7), but do not prescribe how providers must detect and block scam messages. The current approach is discretionary. Ofcom reports that mobile operators received over 100 million scam message reports in the year to April 2025 and that around half of UK mobile users received a suspicious message between November 2024 and February 2025. Ofcom’s existing enforcement programme into phone and text scams relies on the persistent misuse regime and voluntary industry measures such as the NCSC joint work on blocking spoofed +44 numbers originating overseas.
What the consultation proposes
The consultation, Combatting mobile messaging scams, was published on 29 October 2025 and closed on 28 January 2026. The proposed package would add new General Conditions that impose prescriptive duties on MNOs, MVNOs and messaging aggregators. The duties split along the person-to-person (P2P) and application-to-person (A2P) axis.
On P2P messaging, mobile providers would set volume limits on pay-as-you-go SIMs. The limits are the headline P2P measure. They are capacity controls designed to disrupt the pattern in which scammers acquire blocks of PAYG SIMs and send tens of thousands of smishing texts before each SIM is detected and deactivated. MNOs would also be required to block further messages once thresholds are reached and to act on third-party reports identifying numbers used in scam activity. The pay-as-you-go market is the primary target because contract SIM acquisition is already subject to customer due diligence checks.
On A2P messaging, the draft General Condition would impose onboarding and ongoing due diligence on MNOs and aggregators. KYC checks on new enterprise senders are the entry gate. KYT monitoring runs during operation: account activity review, investigation of scam reports, blocking of specific sender IDs, and in-transit blocking of messages that match known scam patterns. Ofcom’s proposed provider guidance, published alongside the consultation, sets out how Ofcom expects providers to comply.
The duties cascade through the supply chain. An MNO’s obligation to manage network fraud risk flows down into aggregator wholesale contracts, and aggregators push KYC and KYT evidencing obligations onto Communications Platform as a Service (CPaaS) providers and enterprise senders. Mobile UK, UKCTA, VodafoneThree, BT Group and other industry participants have filed responses. The response window has closed. Ofcom has not published the final statement. The drafting window is closing.
Commercial and operational implications for operators and aggregators
The wholesale messaging price point will move. Messaging aggregators have run low-margin, high-volume businesses on permissive connectivity. KYC and KYT duties carry ongoing compliance costs that must be recovered through wholesale rates. A tightened price point reduces the arbitrage that has drawn grey-route A2P traffic through UK MNOs. Enterprise senders that have relied on cheap, loosely scoped messaging plans should expect their unit costs to rise and their onboarding documentation burden to increase.
Sender ID allocation and short code governance will need re-engineering. Alphanumeric sender IDs are attractive to scammers because they can impersonate banks, couriers, HMRC and other trusted brands. Ofcom’s in-transit blocking proposal shifts sender ID management from a commercial registry issue to a regulatory compliance issue. MNOs and aggregators will need clear sender ID allocation, verification and revocation processes. The UK has no central sender ID registry, which complicates implementation when compared with markets that operate a shared register.
MVNO exposure is specific. Host MNO wholesale agreements typically pass through regulatory obligations but leave commercial allocation of headroom and compliance responsibility to be negotiated. MVNOs should expect host MNOs to push the onboarding duty, the KYC evidencing burden and (where the MVNO has an enterprise messaging book) the KYT evidencing obligation onto the MVNO itself. This is a contract change programme, not a marginal amendment.
CPaaS providers serving the UK market face a binary choice. Either they sit within the regulated aggregator population and shoulder the direct General Condition burden, or they route through a regulated aggregator and accept mandatory KYC and KYT pass-through. The position turns on where the CPaaS provider sits against the PECN and PECS definitions in section 151(1) CA 2003 and on how Ofcom draws the aggregator perimeter in the final General Condition. If you are assessing where in this stack your operations sit, our regulatory perimeter and market entry guidance covers the analysis.
Viewpoint
The consultation window is closed. Operators who submitted quantified positions in January are waiting for Ofcom to publish. Operators who did not submit should expect the final instrument to be shaped by those who did.
In my experience advising on Ofcom consultations of this kind, the package between consultation and statement changes very little where the evidence base is operational. Ofcom is unlikely to soften the P2P volume limits. It is more likely to refine the methodology for KYC and KYT evidence, the thresholds for in-transit blocking, and the commencement and proportionality provisions for smaller operators and MVNOs. The operator-side opportunity in the coming months is narrower than it looks but it is still open: Ofcom’s enforcement track record under the persistent misuse regime shows that implementation detail shapes the real burden.
The point worth watching is the cross-over with fraud liability. The Online Safety Act 2023 does not catch SMS. APP fraud reimbursement under the PSR regime sits on the payment rail, not the messaging rail. A new General Condition regime that mandates in-transit blocking creates an implied regulatory duty of detection. Operators could face derivative civil claims where in-transit blocking fails and the scam message facilitates a fraud loss. The liability bridge between the telecoms duty and the payments reimbursement regime is not in the consultation document. It will come up in the next consultation cycle or in litigation, whichever moves first.
Links
- New rules to protect people and businesses against mobile messaging scams (Ofcom consultation overview, October 2025)
- Combatting mobile messaging scams (Ofcom consultation document, 29 October 2025)
- Proposed guidance for providers on protections from scam mobile messages (Ofcom, 29 October 2025)
- Enforcement programme into phone and text scams (Ofcom)
- Communications Act 2003, section 32 (general conditions power)
- Communications Act 2003, section 128 (persistent misuse notifications)
- Communications Act 2003, section 130 (persistent misuse penalties, up to £2 million)
How Bratby Law can help
Bratby Law advises MNOs, MVNOs, aggregators and CPaaS providers on UK mobile messaging regulation. For advice on the proposed General Conditions, the perimeter question for aggregators and CPaaS businesses, or the contract change programme required for host MNO and aggregator agreements before the final statement lands, contact Rob Bratby through our Telecoms Regulation practice or via a Specialist Co-counsel arrangement with your incumbent legal team.
