I have long wanted to publish a blog on Commsrisk and now, having chaired 59 meetings of the GSMA’s Global Title “GT” Leasing Task Force, I feel I have a subject that I am qualified to write about. That said, to be very clear, I am writing this blog in a purely personal capacity and do not suggest I am representing my clients, employers nor the GSMA in anyway. Now that the formalities are out of the way…
Last month Ofcom published its Statement on GT Leasing. This was strident action by the UK regulator that set an example to the rest of the world. GT Leasing was banned with immediate effect, as well as the creation of GTs from numbers not allocated for use. Third parties may not create GTs from sub-allocated numbers. Guidance on GT leasing was issued to number range holders. On top of this, existing leased GTs must be shut down by 22 April 2026, with two specific extensions for migrating MVNOs and IoT services.1
Ofcom recognise that whilst their jurisdiction is the UK, the abuse of GTs is global in its nature. Their internationalist approach is clear — they plan to become an international evangelist on GT Leasing and can hardly do so without cleaning up their own backyard.2 At a time when too many governments are taking myopic short-term approaches to global problems, this is to be welcomed. Ofcom encouragingly notes that other jurisdictions are also planning to take action on GT leasing.
However, I wouldn’t do this blog justice if I didn’t address the elephant in the room. The GSMA’s Code of Conduct was published over two years ago but is yet to have any signatories and has just a handful of declared supporters. Whilst this is disappointing, I still feel we took the right steps in creating it. The lack of support has resulted in Ofcom not relying upon this form of “self-regulation” and taking direct action themselves. I suspect Ofcom will not be the only regulator to take such action. Operators may regret the failure to self-regulate. The findings of the GT Leasing Task Force exposed the workings of the GT Leasing industry and set sensible standards of behaviour. Perhaps, inadvertently, we gave Ofcom cover to implement stricter regulation than a trade association, such as the GSMA, could ever have agreed upon.
Looking into the detail of the Statement, it is evident that much is in common with the original Consultation. That is hardly surprising — a huge amount of effort went into the Consultation making it unlikely that obvious “clangers” would be found. Still, Ofcom did make some changes and additions. The manner in which they addressed the Consultation responses was particularly interesting.
One myth they have put to bed is that there is no need to address SS7. Some have claimed no action is required for a legacy protocol related to networks that will be shutting down anyway. Ofcom highlighted that 2G/3G networks are usually available when roaming and that, even when 4G/5G is used, users are simultaneously registered on 2G/3G networks to enable seamless handover.3 They anticipate the use of 2G/3G networks continuing past 2033 when all UK 2G/3G networks will shut down. This observation was not challenged in any of the responses from operators.4
Another matter that becomes clear is that the Crown Dependencies are considering action. The Jersey regulator stated it is minded to follow Ofcom whilst the Guernsey regulator is conducting a consultation of its own. The latter has commissioned ENEA, as Ofcom did, to analyse the threat of leasing Guernsey GTs. Ofcom noted that they found at least one known threat actor leasing Guernsey GTs!
Something that was pretty much absent from the Consultation was the subject of HLR queries. To be precise, the topic appeared in just one footnote — reference 98. That didn’t prevent two such companies submitting responses to the consultation — 3G Telecommunications Ltd, who trade as HLRlookup.com, and XConnect. Declaration: during my very short time at XConnect, I helped draft their response to the Consultation.
I found it interesting that Ofcom did not comment on any of the points these submissions raised but did choose to clearly address the HLR query business, as well as GT modification services (which are used for outbound roaming services such as hubs). In Annex 6, the Guidance, Ofcom defines these as higher risk services and provided pretty onerous actions upon any operator enabling the HLR query business. Clearly Ofcom felt this topic was important enough to address specifically and flag up as of particular risk. One can only hope that these HLR query companies are carefully digesting the Statement and preparing to comply with all the laws Ofcom helpfully list. It will be interesting to see how they react, as well as the many other HLR query providers, including the GSMA and its Pathfinder service. Any mobile operator leasing GTs to HLR lookup providers should urgently reconsider the wisdom of their decision.
Ofcom has taken a firm line on GT Leasing and made minimal exemptions — far fewer than the GSMA’s Code of Conduct. Leasing via Lessor, where traffic is routed back to the Lessor’s network, is banned. Ofcom rejected this since it can only be secure if Lessors implement robust controls. The evidence from the ENEA research suggested that this cannot be assumed.
When I read the submissions to the Consultation, I thought Ofcom had a tough job to address the concerns. I now feel a little naïve. Ofcom’s primary concern was not to protect existing business models, but to protect UK and global citizens and the integrity of all phone numbers associated with the UK’s +44 country code. Ofcom treated any exemption as a potential loophole and also confirmed that respondents were able to make appropriate architectural changes to comply with Ofcom’s approach.5 The outcome was that Ofcom:
- rejected Vodafone’s request to extend the intra-group service exemption to affiliates Vodafone may divest for a transition period, rightly noting this would be known during any due diligence;
- rejected requests from BT Group, Transatel, MVNO Europe and Jersey Airtel for various forms of exemptions to the MVNO and MVNX use cases, observing that alternative network designs have been found;
- rejected the requested exemptions for in-vehicle services and IoT services that were proposed by Cubic Telecom and Velos IoT;
- did not respond to requests from XConnect and HLRlookup.com about allowing the continuation of their HLR query business models, having referenced previous Commsrisk articles about the permissibility of such services;6 and they
- rejected Jersey Airtel’s requested exemptions for penetration testing and for A2P services with proven security measures, having noted P1 Security’s use of their own GTs for penetration testing of live networks, which must be considered best-in-class for a security company.
On that final point about creating GTs for penetration testing, Ofcom state that they would:
…need to consider whether the application met our eligibility criteria for the allocation of mobile numbers for use as part of a mobile service.7
I hope they do receive such requests and I will certainly be pushing this point within the GSMA. However, I do not believe Ofcom’s current rules would actually allow them to allocate numbers so security companies can have new GTs.
One point that has come up many times over the last few years are the various initiatives to promote operator APIs. Ofcom references this as an alternative to many use cases that require leased GTs. I wholeheartedly support this view but I wonder about state of this market. XConnect recently rescued Sekura from liquidation at a cost of just GBP40,000 (USD54,000) despite Sekura being described as a “market leader” at real-time customer verification from mobile operators through “one simple API connection”.8
There are obvious questions to ask about future prospects of monetizing network data through APIs when Sekura went into administration with debts totaling GBP2mn (USD2.7mn) after seeing its revenues decline from GBP2.8mn (USD3.8mn) for the financial year ending July 2023 to just GBP2.5mn (USD3.4mn) for the following year.9 Sekura’s debts included over GBP1mn (USD1.35mn) owed to its mobile operator suppliers and GBP220,000 (USD298,000) owed for a shirt sponsorship deal with Norwich City Football Club.10 Hopefully Sekura’s cashflow problems will not be representative of the performance of the wider network API market.
Footnotes
1 Each of these services will have an additional 6 months to migrate due to the complexity of migrations and evidence indicating they are lower risk services.
2 Global Titles and Mobile Network Security — Measures to address misuse of Global Titles (Non-Confidential Version), Ofcom, 22nd April 2025, para. 3.87
8 Sekura Mobile Intelligence Ltd — Notice of administrator’s proposals, paras. 1.8 and 1.11
10 Details of Sekura’s 2023/24 sponsorship of Norwich City Football Club sponsorship can be found here: https://www.canaries.co.uk/content/sekura-principle-partner
