The Online Competition Standards Authority (OCSA) is an independent standards and certification body for UK online prize-draw operators. It was founded in response to the DCMS Voluntary Code of Good Practice (2025) and provides auditing, certification and draw integrity services to the sector.

No. OCSA is an independent standards body, not a regulator. It does not have statutory powers. Certification indicates compliance with OCSA standards and alignment with the DCMS Voluntary Code, but is not a legal requirement or regulatory approval.

What is the DCMS Voluntary Code of Good Practice for prize draws?

The DCMS Voluntary Code of Good Practice for Prize Draw Operators was published by the UK Government's Department for Culture, Media and Sport in 2025. Over 100 operators have signed it. It sets out standards for player protection, transparency, draw integrity and accountability. The full implementation deadline is 20 May 2026.

Are UK online prize draws legal?

Yes. UK online prize draws are legal under the Gambling Act 2005 provided a genuine free entry route exists alongside any paid entry route. They are not regulated by the Gambling Commission. The DCMS Voluntary Code of Good Practice provides the primary regulatory framework.

How does OCSA certification work?

OCSA offers three certification tiers: Certified (£75/month), Silver (£275/month) and Gold (£1,275/month). Each tier requires an audit of the operator's website and processes against OCSA's standards. OCSA standards are more demanding than the DCMS Voluntary Code.

What is the OCSA draw register?

The OCSA public draw register at draws.ocsa.org.uk/register/ records all certified draws with permanent blockchain verification on the Polygon mainnet. Each draw uses Chainlink VRF (verifiable random function) to ensure results cannot be predicted or manipulated.

What is the OCSA instant win prize manifest register?

The OCSA instant win register at draws.ocsa.org.uk/iw/ publishes the SHA-256 hash of each sealed prize manifest before the competition opens. OCSA acts as independent arbiter — generating all winning ticket numbers before sales begin and holding the manifest encrypted. Neither the operator nor OCSA staff can alter winning ticket numbers after sealing.

RNG Proof of Concept

Proof of Concept — File Hashing and Draw Integrity

Every OCSA certified draw includes a SHA-256 hash of the operator's entry list, recorded permanently on the blockchain at the moment the draw runs. This page lets you see exactly how that works — and why it matters.

How it works

When an operator runs a certified draw, their entry list is fingerprinted using a cryptographic process called SHA-256 hashing. The fingerprint is unique to that exact file. Change a single character — a name, a ticket number, a space — and the fingerprint changes completely.

The hash is embedded in the draw certificate and written to the Polygon blockchain before the result is announced. If an operator were to alter their entry list after the draw — to swap winners, remove entrants, or adjust ticket numbers — the hash on the certificate would no longer match the file. The discrepancy would be permanent and publicly visible.

There is no way to alter a file and preserve its hash.

OCSA does not receive, store or process any entrant personal data. The entry list never leaves the operator's systems — hashing takes place entirely within the operator's browser. OCSA sees only the hash.

Try it yourself

We ran a certified demonstration draw for a 1965 Morris Minor Pickup using the example entry list below. 500 tickets were sold, numbered 1 to 500. The winning ticket was number 23, drawn by the OCSA certified RNG and recorded permanently on the Polygon blockchain.

The certificate records the winning ticket number - not the winner's name. The operator cross-references ticket 23 against their entry list to identify and contact the winner. This is by design: OCSA certifies the draw, not the personal data. The operator publishes the entry list BEFORE the draw on their website and this is the list captured by the hashing procedure and added to our certificate. If this published list ever changes you can be confident that the hash will no longer match and it is immediately evident that the list published by the operator is not the same list used for the draw.

The entry list hash on certificate OCSA-2026-05-07-3164 matches the file exactly. Download the example file (we haven’t changed it since the certification), drag it into the hashing tool, and compare the result to the Entry List Hash on the certificate.

🔽 [Download the test entry list]

📄 [View draw certificate — OCSA-2026-05-07-3164]

🔗 [Open SHA-256 hashing tool]

The hashing tool is a free third-party tool. Your file is never uploaded — the calculation happens entirely within your browser. Feel free to download the test file onto your pc and test the hash matches on any hashing tool of your choice.

Now try the altered version

At first glance the altered file is identical in every respect - same entrants, same ticket numbers, same email addresses. Only one change has been made: the ticket numbers held by Noah Diaz and Michael Morgan have been swapped. Noah Diaz was the legitimate winner on ticket 23. In this version, Michael Morgan holds ticket 23 instead.

Find rows 23 and 47 in each file and you will see the difference. Now hash the altered file and compare the result to the certificate. The hash will not match - because the file has been tampered with. Even the smallest change ( a single letter or punctuation mark) will completely alter the hash code

🔽 [Download altered entry list]

This is what fraud looks like from the outside. One swap. Invisible to anyone reading the file casually. Permanently detectable by the hash.

Why this matters

In a traditional prize draw, an unscrupulous operator could alter their entry list after the draw without anyone really knowing. The OCSA certified draw system makes that impossible to do silently. The hash is on the blockchain before the result is announced. The entry list is in the operator's hands. If they ever disagree, the blockchain wins.

No trust required. No reliance on OCSA. No reliance on the operator. The proof is public, permanent and verifiable by anyone with a browser.

OCSA certified draws record the entry list hash on the Polygon blockchain before the result is announced. Verification is permanent, public, and requires no trust in OCSA, the operator, or any third party.

0330 223 7628