Information Rights Adviser
31 July 2019
Richard De Vere email@example.com
Dear Mr De Vere,
Freedom of Information: Right to know request
Thank you for your request for information about the Mobile Number Portability Process.
This was received by Ofcom on 3 July and it has been considered under the Freedom of Information
Act 2000 (“the Act”).
On your website you state part of Ofcom's role is:
"To help make sure people don’t get scammed and are protected from bad practices. This is
particularly important for vulnerable or older people."
To this effect, I would like to receive further information regarding the changes to the Mobile
Number Portability Process (MNP) and your support in the new process that allows mobile
numbers to be ported with a text message. I would like to receive information that shows
evidence of consultation regarding the security implications of changing this service.
If you cannot provide evidence of this in an open and transparent fashion, my request can be
broken down in to simpler questions that I would like answering individually.
1. How much did you spend on security consultation regarding the new MNP process?
2. Who received payment, of any kind, for their role in MNP Process security consultation?
3. Why in your position as a regularity body, responsible for public safety in this arena have
you made the MNP Process easier for criminals to exploit?
4. Do you intend to help malicious social engineers with their endeavours to exploit innocent
people again in the future, if so how much do you intend to spend supporting criminals?
Ofcom's reforms to the mobile switching process, including auto-switch, which came into effect on 1
July 2019, were developed through a series of consultations. Relevant consultations were issued on
23 March 2016, 29 July 2016 and 19 May 2017; and our final statement was published on
19 December 2017.
The security implications of updating the mobile switching process were considered throughout the
consultation period. This can be seen in the consultation documents, including at:
• Paragraphs 5.59 to 5.64 of the March 2016 consultation document;
• Paragraphs A9.63 to A9.70, A9.125 to A9.131, A9.147-A9.150 and A9.153 in Annexes 6 -10 of the
March 2016 consultation document; and
• Paragraphs 4.112-4.124 of the May 2017 consultation document.
Ofcom’s conclusion on the security implications is included in the final statement, at paragraphs
4.106 to 4.110, where it is noted that:
• Auto-Switch represents an improvement over the current porting process as it requires mobile
providers to text the switching code to the consumer, whether they have requested it by text,
online or by phone. The authorised account holder would then be alerted to any fraudulent
PAC/N-PAC1 request made by phone or online and could contact their provider.
• We also considered the risks of SIM swap fraud and unauthorized acquisition of mobile numbers
and concluded that Auto-Switch does not increase these risks compared to the current situation.
Further detail is included in the Statement annexes 2-11 at paragraphs A2.61 to A2.72.
In relation to your specific questions:
1. We have interpreted this request to mean: How much did Ofcom spend on external security
consultants in relation to the auto-switch process? In answer to this question, we did not
engage external consultants to provide distinct advice on security. We did, however, receive
advice from external consultants with expertise in mobile process design who advised on all
aspects of designing a new mobile switching process including effective mechanisms to ensure
switching requests are made by the authorised account holder. However, we are unable to
separate out the costs that relate only to this element of the advice provided and we therefore
do not hold a spend figure.
2. We have interpreted this request to mean: Which external consultants received payment for
providing advice in relation to the auto-switch process? Please see the response to Question 1
3. As noted in our final statement, referred to above, we want to ensure that consumers do not
experience unnecessary difficulties when switching mobile provider. Consumers should be able
1 Note that N-PAC is now referred to as STAC (Service Termination Authorisation Code)
to exercise choice and take advantage of competition in communications markets by being able
to switch provider easily. Unnecessary difficulties can give rise to consumers suffering harm,
making switching difficult or preventing it entirely in some cases. The new auto-switch process
makes it quicker and easier for people to leave their mobile company, by giving customers
control over how much contact they have with their existing provider.
We further noted in our final statement, that it was important that any revisions or reforms to
mobile switching processes minimise risks of unintended consequences and do not introduce or
compound further harms. In our view, Auto-Switch will not increase the risk of various types of
fraud. Under the new rules, only someone in possession of a SIM can request or receive a
switching code by text. So, we have designed the new process to provide extra protection for
mobile customers, while also making switching easier.
4. We trust that the above responses address the premise of this question. For the avoidance of
doubt, we do not hold any further information that would be responsive to this question.
If you have any queries, please contact firstname.lastname@example.org. P
lease remember to
quote the reference number above in any future communications.
If you are unhappy with the response or level of service you have received in relation to your request from Ofcom, you may ask for an
internal review. If you ask us for an internal review of our decision, it will be treated as a formal complaint and will be subject to an
independent review within Ofcom. We will acknowledge the complaint and inform you of the date by which you might expect to be told
The following outcomes are possible:
• the original decision is upheld; or
• the original decision is reversed or modified. Timing
If you wish to exercise your right to an internal review you should contact us within two months of the date of this letter
. There is no
statutory deadline for undertaking internal reviews and it will depend upon the complexity of the case. However, we aim to conclude all
such reviews within 20 working days, and up to 40 working days in exceptional cases. We will keep you informed of the progress of any
such review. If you wish to request an internal review, you should contact:
2a Southwark Bridge Road
London SE1 9HA
If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a
decision. The Information Commissioner can be contacted at:
Information Commissioner’s Office