Age Assurance Design Rationale
Service: RPMMO AEGIS Kingdoms
Operator: AEGIS Game Studios
Regulatory Context: UK Online Safety Act 2023 (User-to-User Service)
1. Purpose of This Document
This document explains the design, implementation, and justification of the age assurance measures used by AEGIS Game Studios for the RPMMO AEGIS Kingdoms, in accordance with the UK Online Safety Act 2023 and Ofcom guidance on Highly Effective Age Assurance (HEAA).
It demonstrates how the service ensures that children are not normally able to access age-restricted content, using a layered, proportionate, and robust approach.
2. Service Classification Under the Online Safety Act
AEGIS Kingdoms is classified as a user-to-user service under the Online Safety Act.
While the service does not provide pornography, sexual content, or illegal material, it includes user-generated text-based roleplay in a fictional setting. Due to the nature of roleplay, users’ characters may describe or reference:
Violence, torture, or threats
Death or harm
Fictional scenarios that could resemble real-world harm
Non-sexual references to off-screen romantic or adult activity
Although these are moderated and restricted, they are not suitable for minors. Accordingly, the service requires Highly Effective Age Assurance before access is granted.
3. Content Safeguards and Prohibitions
The following content is explicitly prohibited across all AEGIS platforms:
Pornography (including erotic roleplay)
Sexual content involving minors (including “aged-up” or disguised representations)
Gore or explicit sexual violence
Illegal material of any kind
Instructional content intended to facilitate real-world harm
Moderation is active and continuous. However, moderation alone is not relied upon to protect children; access is restricted at the account level through HEAA.
4. Age Assurance Strategy Overview
AEGIS Game Studios employs a multi-stage, defence-in-depth age assurance model, combining:
Manual approvals
Highly Effective Age Assurance (credit-card based)
Paid subscription gating
Mandatory authentication
Session expiration
Ongoing moderation
Zero-tolerance enforcement
This approach exceeds minimum expectations and is intentionally designed to prevent circumvention.
5. Account and Access Flow (Step-by-Step)
5.1 Forum Account Creation (Initial Gate)
Users must create an account on the AEGIS Forums.
All accounts require manual approval by staff.
Anonymous browsing is not permitted.
Until approved, access is restricted to read-only informational areas.
5.2 Mandatory Pre-Age-Check Information Stage
Approved users are directed to non-posting FAQ sections.
These sections explain:
The nature of the service
Content restrictions
The requirement for age verification
Users cannot proceed without completing the age assurance process.
5.3 Highly Effective Age Assurance (HEAA)
Users must complete a credit-card based age verification check via a regulated payment provider.
No card data is stored by AEGIS Game Studios.
This check is performed before users may apply for game access.
The result of the check (approved / not approved) is recorded, not the payment details.
This method is selected because it meets Ofcom’s HEAA criteria for robustness and effectiveness.
6. Additional Access Controls
6.1 Paid Membership Requirement
A paid, monthly membership is required to access AEGIS Kingdoms.
Membership status is manually verified.
Payment acts as an additional deterrent to minors and supports the overall HEAA framework.
6.2 Lore & Comprehension Gate
After age approval, users must apply for a roleplay / TTRPG character.
This includes lore comprehension checks.
This step further reduces the risk of accidental or malicious access by minors.
6.3 Game Account Provisioning
Game login credentials are issued only after:
Age verification
Active paid membership
Manual approval
Game credentials are separate from forum credentials.
7. Authentication and Session Controls
7.1 Game Client
The game client does not store login credentials.
Users must authenticate every time they play.
7.2 Forums
Forum sessions automatically expire after 336 hours (14 days).
Re-authentication is required thereafter.
Forums cannot be accessed anonymously.
These controls ensure that age-verified access is not permanent or transferable without credentials.
8. Enforcement and Zero-Tolerance Policy
If a user:
Admits to being under 18 (including “as a joke”), or
Creates reasonable suspicion that a minor has access to an account
Then:
The account is terminated immediately
No warnings or exceptions are applied
This policy exists to prioritise child safety over user retention
This strict approach is intentional and documented.
9. Why This Approach Meets HEAA Requirements
This system satisfies Ofcom’s expectations because:
Age assurance is performed using a highly effective method
Access is account-bound, not device- or cookie-based
Authentication is mandatory and repeatable
Sessions expire
Manual oversight is present at multiple stages
Circumvention is actively mitigated
Records of approvals and controls are maintained
Children are therefore not normally able to access the service.
10. Proportionality and Data Minimisation
No identity documents are collected
No card data is stored
Only age-verification outcomes are retained
The system is proportionate to the risk profile of the service
This aligns with both the Online Safety Act and UK GDPR principles.
11. Review and Ongoing Effectiveness
AEGIS Game Studios commits to:
Periodic review of age assurance effectiveness
Updates in response to Ofcom guidance changes
Adjustments if circumvention or new risks are identified
12. Conclusion
AEGIS Kingdoms employs a robust, layered, and proportionate age assurance system that meets the requirements of the UK Online Safety Act and Ofcom’s guidance on Highly Effective Age Assurance.
The design ensures that children are not normally able to access the service, while respecting user privacy and minimising unnecessary data processing.
Children’s Risk Assessment – AEGIS Kingdoms (RPMMO)
Service Provider: AEGIS Game Studios
Service: AEGIS Kingdoms (Gaming + User-to-User Forums)
Regulatory Framework: UK Online Safety Act 2023 – Child Safety and Age Assurance Duties
1. Regulatory Context
Under the UK Online Safety Act 2023, Ofcom requires user-to-user services to conduct a children’s access assessment and a children’s risk assessment to identify and mitigate risks of harm to children arising from content or functionality of the service. To conclude that children are not normally able to access the service (or certain areas of it), providers must implement highly effective age assurance (HEAA) and effective access controls. (www.ofcom.org.uk)
Ofcom’s guidance defines HEAA as methods meeting criteria of:
technical accuracy
robustness
reliability
fairness
and requiring evidence that children are successfully excluded. (www.ofcom.org.uk)
2. Child Safety Risks Identified (Pre-Mitigation)
| Risk | Description | Likelihood (Pre-Controls) | Potential Harm |
|---|---|---|---|
| R1 | A minor gains access to roleplay content involving adult themes | High | Psychological or emotional harm |
| R2 | Circumvention of self-reported account age using false information | High | Access by under-18s |
| R3 | Account sharing with a verified adult account | Medium | Indirect minor access |
| R4 | Persistent session or saved login bypasses re-authentication | Medium | Unsanctioned continuous access |
| R5 | Inadequate account gating allows forum browsing without age control | High | Exposure to harmful interaction |
Assessment of these risk scenarios is aligned with Ofcom’s requirement to consider how children might encounter or interact with the service inappropriately. (www.ofcom.org.uk)
3. Mitigation Controls Implemented
For each risk identified, the following mitigation measures are in place:
3.1 Highly Effective Age Assurance (HEAA) – Credit-Card Verification
All users must complete a credit-card-based age verification before applying for restricted content access.
This method is classified by Ofcom as one type of age assurance capable of being highly effective when properly implemented because it is evidence-based and cannot be trivially self-reported. (www.ofcom.org.uk)
Effect: Demonstrably reduces the risk of under-18 access (R1, R2).
3.2 Multi-Stage Account Approval and Access Controls
Forum account creation with manual approval before any access.
Users cannot view restricted forums or progress until age verification is successful.
Game access is only granted after age assurance, lore comprehension, and paid subscription verification.
Effect: Blocks unauthorized or premature access to user-generated content (R1, R2, R5).
3.3 Membership Subscription Requirement
Paid monthly membership manually verified before granting game access.
Acts as a secondary deterrent to minors and another control point for validation.
Effect: Reinforces access barriers (R1, R2).
3.4 Authentication and Session Management
Game client requires login on every session.
Forums require re-authentication after 336 hours of session activity.
Effect: Prevents long-term session persistence and token abuse (R4).
3.5 Moderation and Prohibited Content Enforcement
Active moderation to block content involving illegal activity, explicit sexual material, or unsafe roleplay.
Prohibitions include sexual content involving minors in any form.
Admission of under-age status by a user leads to immediate termination.
Effect: Further limits exposure to harmful content (R1, R3).
4. Residual Risk Evaluation
Following implementation of the controls above, the residual risks are assessed as follows:
| Risk | Residual Likelihood | Residual Impact | Risk Level (Post-Controls) |
|---|---|---|---|
| R1 | Low | Low–Medium | Acceptable |
| R2 | Low | Medium | Acceptable |
| R3 | Low | Medium | Acceptable |
| R4 | Low | Medium | Acceptable |
| R5 | Very Low | Low | Acceptable |
Rationale: With HEAA, credential gating, session controls, and moderation, the probability of under-18 access is reduced to an acceptable level such that children are not normally able to access restricted parts of the service. This aligns with Ofcom’s stage-1 conclusion conditions in its children’s access assessment guidance. (www.ofcom.org.uk)
5. Justification for Mitigation Selection
Each control is proportional to:
The potential for exposure to age-inappropriate content
The frequency and permanence of access paths
The requirement to demonstrate that children are not normally able to access the service
HEAA via credit-card checking, combined with strong authentication and moderation, is considered an effective and proportionate approach for an adult-directed roleplay service with text-based interaction components. This is consistent with Ofcom’s non-exhaustive list of HEAA methods and the criteria for demonstrating “highly effective” assurance. (Osborne Clarke)
6. Privacy and Data Protection Considerations
The service minimises collection of personal data for age assurance and complies with broader privacy/data protection requirements. Only outcome information (verification result) is stored; sensitive payment or identity information is not retained by the operator, meeting Ofcom’s guidance to balance child safety with privacy obligations. (www.ofcom.org.uk)
7. Monitoring, Review, and Reassessment Triggers
This risk assessment will be reviewed:
Annually by default
After any material change in service features
After evidence of reduced control effectiveness
In response to Ofcom or industry guidance updates
This reflects Ofcom’s requirement to keep written records of risk assessments and review them regularly. (www.ofcom.org.uk)
8. Conclusions
Based on the evidence and controls implemented:
Children are not normally able to access the relevant age-restricted parts of the AEGIS Kingdoms service.
Residual risks have been reduced to acceptable levels.
Controls are justified, proportionate, and in line with Ofcom’s expectations for highly effective age assurance and risk mitigation under the Online Safety Act.
Record of this assessment, supporting evidence, and rationale will be maintained in compliance documentation in accordance with Ofcom’s record-keeping guidance. (www.ofcom.org.uk)
