The Online Competition Standards Authority (OCSA) is an independent standards and certification body for UK online prize-draw operators. It was founded in response to the DCMS Voluntary Code of Good Practice (2025) and provides auditing, certification and draw integrity services to the sector.

No. OCSA is an independent standards body, not a regulator. It does not have statutory powers. Certification indicates compliance with OCSA standards and alignment with the DCMS Voluntary Code, but is not a legal requirement or regulatory approval.

What is the DCMS Voluntary Code of Good Practice for prize draws?

The DCMS Voluntary Code of Good Practice for Prize Draw Operators was published by the UK Government's Department for Culture, Media and Sport in 2025. Over 100 operators have signed it. It sets out standards for player protection, transparency, draw integrity and accountability. The full implementation deadline is 20 May 2026.

Are UK online prize draws legal?

Yes. UK online prize draws are legal under the Gambling Act 2005 provided a genuine free entry route exists alongside any paid entry route. They are not regulated by the Gambling Commission. The DCMS Voluntary Code of Good Practice provides the primary regulatory framework.

How does OCSA certification work?

OCSA offers three certification tiers: Certified (£75/month), Silver (£275/month) and Gold (£1,275/month). Each tier requires an audit of the operator's website and processes against OCSA's standards. OCSA standards are more demanding than the DCMS Voluntary Code.

What is the OCSA draw register?

The OCSA public draw register at draws.ocsa.org.uk/register/ records all certified draws with permanent blockchain verification on the Polygon mainnet. Each draw uses Chainlink VRF (verifiable random function) to ensure results cannot be predicted or manipulated.

What is the OCSA instant win prize manifest register?

The OCSA instant win register at draws.ocsa.org.uk/iw/ publishes the SHA-256 hash of each sealed prize manifest before the competition opens. OCSA acts as independent arbiter — generating all winning ticket numbers before sales begin and holding the manifest encrypted. Neither the operator nor OCSA staff can alter winning ticket numbers after sealing.

RNG Proof of Concept

RNG Proof of Concept - File Hashing and Draw Integrity

Every OCSA-certified draw includes a SHA-256 hash of the operator's entry list, recorded permanently on the blockchain at the moment the draw runs. This page lets you see exactly how that works - and why it matters.

How it works - what is a file hash?

When an operator runs a certified draw, their entry list is fingerprinted using a cryptographic process called SHA-256 hashing. The hash fingerprint is unique to that exact file structure. Change a single character - a name, a ticket number, a space or a single full stop or comma - and the hash fingerprint changes completely. Any file can be hashed, and every file in existence has a unique hash value.

The entry-list hash is embedded in the draw certificate and written to the Polygon blockchain before the result is announced. If an operator were to alter their entry list after the draw - to swap winners, remove entrants, or adjust ticket numbers - the hash on the certificate would no longer match the hash on the file. The discrepancy would be permanent and publicly visible.

There is no way to alter a file and also preserve its hash.

OCSA does not receive, store or process any entrant personal data. The entry list never leaves the operator's systems - hashing takes place entirely within the operator's browser. OCSA sees and records only the hash value.

Try it yourself

OCSA recently ran a certified demonstration draw for a 1965 Morris Minor Pickup using the example entry list below. 500 imaginary tickets were sold, numbered 1 to 500. The winning ticket drawn by the Oracle VRF system was number 23, recorded by the OCSA-certified RNG and written permanently onto the Polygon blockchain as certificate OCSA-2026-05-07-3164.

The certificate records the winning ticket number - not the winner's name - OCSA never sees entrant data, it’s not necessary and would require extra GDPR protections. The operator cross-references ticket 23 against their own published entry list to identify and contact the winner. This is by design: OCSA certifies the draw process, not the personal data. The operator publishes the entry list BEFORE the draw, on their website, and this is the list that the hashing procedure captures and adds to the certificate. If this published list ever changes, you can be confident that the hash will no longer match, and it is immediately evident that the list published by the operator is not the same entry list used for the draw.

The entry list hash on certificate OCSA-2026-05-07-3164 matches the test file exactly. Download the example file (we haven’t changed it since the certification), drag it into the hashing tool, and compare the result to the Entry List Hash on the certificate. They will match.

🔽 [Download the test entry list]

📄 [View draw certificate — OCSA-2026-05-07-3164]

🔗 [Open free SHA-256 hashing tool]

The hashing tool is a free third-party tool. Your file is never uploaded - the calculation happens entirely within your own browser. Feel free to download the test file onto your pc and test that the hash matches using any hashing tool of your choice. There are many free hash verification tools available from a simple web search.

Now try the altered version

At first glance, the altered file seems identical in every respect - same entrants, same ticket numbers, same email addresses. Only one change has been made: the ticket numbers held by Noah Diaz and Michael Morgan have been swapped. Noah Diaz was the legitimate winner on ticket 23. In this version, Michael Morgan holds ticket 23 instead.

Find rows 23 and 47 in each file, compare side by side, and you will see the difference. Now hash the altered file and compare the result to the certificate. The hash will no longer match - because the file has been tampered with. Even the smallest change (a single letter, space, or punctuation mark) will completely alter the hash code

🔽 [Download altered entry list]

This is what fraud looks like from the outside. One swap. Invisible to anyone reading the file casually. Permanently detectable by the altered hash.

Why this matters

In any traditional prize draw, an unscrupulous operator could (if they had a reason to) alter their entry list after the draw without anyone really knowing or noticing. The OCSA-certified draw system doesn’t make that impossible, but it does make it impossible to do it invisibly. The entry-list hash is on the blockchain before the winning result is announced. The original entry list is in the operator's hands, published on their website and the resultant hash copied onto OCSA’s public draw register. If the hashes ever disagree, the one stored on the blockchain always wins.

No trust required. No reliance on OCSA. No reliance on the operator. The proof is public, permanent and verifiable by anyone with a browser.

OCSA-certified draws record the entry list hash on the Polygon blockchain before the winning result is announced. Verification is permanent, public, and requires no trust in OCSA, the operator, or any third party. OCSA does not suggest that any operator has ever cheated or manipulated any entry list. Using OCSA-certified draws, you can be assured that if an entry list were ever altered, it would be immediately visible to any observer.

RNG Proof of Concept - File Hashing and Draw Integrity

How it works - what is a file hash?

Try it yourself

Now try the altered version

Why this matters

0330 223 7628