Hello and welcome to working with ABC

While our auditors will hold your hand throughout the process, we’ve pulled together everything you need to know about TAG’s various requirements and what being audited looks like below...

Steps to our TAG Audit process

We follow the same high-level tailored audit process for all, no matter which set of TAG standards you’re working towards.

Step 1: Pre-Audit – Consultancy (Getting you in shape prior to audit)

Our independent validation starts with a consultancy meeting with our Audit Manager. At this meeting we’ll:

1. Talk you through the relevant TAG Guidelines
2. Obtain a good understanding of your business and how it relates to the Guidelines
3. Outline the audit process

Following the consultancy, if necessary, we’ll make recommendations for any areas that may need developing before the audit starts.  This may be, for example, documenting some of the policies or procedures that you already have in place. We don’t take a pass or fail approach to the audit, instead we’ll work with to you to get to the point where your current TAG related business processes are ready to submit for verification.

Step 2: The Audit - Information Request & Call (Collecting evidence)

We’ll use the information gathered from the consultancy to prepare a tailored Information Request, setting out all the documents and process evidence that we’ll be looking for.

Once you’ve had time to gather the audit evidence, we’ll set up an Audit Call to talk through any questions we may have on the information sent. We’ll also use the Audit Call to walkthrough any applicable processes. 

Step 3: Post Audit – The Audit Report (Sharing our results with TAG)

Upon completion of the audit, we’ll send our Audit Report to you and TAG describing how you comply with the relevant TAG Guidelines.

TAG will review our Report and, subject to their approval, update the TAG Registry to reflect your new TAG Seal expiry date and applicable geographies.

Once your Seal has been issued, you’ll enter into TAG’s annual renewal cycle which requires all the relevant documentation submitted to TAG by 31^st January each year.

The TAG Brand Safety Certified (BSC) Requirements

How you comply with the BSC Guidelines is dependent on where your business sits within the digital advertising ecosystem.

Here’s our summary of the key compliance requirements (for the full TAG Guidelines please visit the TAG Brand Safety page):

Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Brand Safety Certified Guidelines are consistently followed.

Overview & Examples of Audit Evidence – TAG BSC

1. BSC Training

We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.   

2. Ensure All Digital Advertising Agreements Adhere to Brand Safety and Anti Piracy Principles

Evidence may include:

• Insertion Order with targeting instructions.
• Generic Terms and Conditions detailing which CV Tools, Anti-Piracy tools or inclusion/exclusion lists are used and how they are implemented.
• Standard Contracts noting (a) specific categories of inventory to be excluded and how these categories have been derived, and (b) anti-piracy terms
• Policies and Procedures to monitor ad misplacement including a Take Down policy for any ad misplacement that may occur. This could either be included in the agreement or in a publicly facing ‘Brand Safety Policy’.
• Direct Sellers will be required to attest that they own or have the licensed right to the content appearing on their media properties.

3. Any participating company acting as a Direct Buyer, Intermediary, Vendor or Seller must employ the use of a TAG-recognized content taxonomy

For Direct Buyers:
Implement a TAG-recognised content taxonomy using tools provided by Content Verification Services and/or robust methods creating inclusion/exclusion lists.

For Intermediaries and Direct Sellers:
Adopt and operationalise a TAG-recognised content taxonomy to avoid the defined floor for harmful content as referenced in the chosen content taxonomy

A TAG-recognised Content Taxonomy

• The 11 “Sensitive Topics” content categories as defined by the IAB Tech Lab Content Taxonomy version 2.2, and at the “Floor” risk-rating. The most recent version can be found here.
• The 12 “Brand Safety Floor” and Framework identified in consultation with industry experts and representatives of NGOs. This can be found here.

Evidence includes:

• Demonstrating you have implemented a chosen taxonomy
• Demonstrating how your content categories can be mapped back to a TAG-recognised floor
• Inclusion of the use of a taxonomy in agreements to advise partners

4. Monitor and Detect Ad Misplacement

Evidence may include:

1. Details on how inclusion / exclusion lists are created. We’ll test that these lists are being applied across 100% of monetized transactions.
2. Details of how these lists are compiled and maintained, e.g. vetting processes for sites and apps.
3. Details on the use of CV Tools or Anti-Piracy tools including:
   1. If contextual blocking is used.
   2. Is the tool set up as a pre-bid or post-bid solution.
   3. How the tool handles an ad that is deemed inappropriate.
   4. The use of the tool across 100% of monetized transactions.
4. Details and examples of moderation controls over user generated content
5. Direct Sellers will be required to disclose policies for the additional monitoring, detection and management of risk against ad misplacement, such as the use of editorial codes of conduct.
6. Direct Sellers will be required to attest that they do not block or unduly restrict the legitimate use of Content Verification and Anti-Piracy services.
7. Direct Sellers must disclose the means by which they ensure that their media properties do not host or stream pirate content.

5. Document Policies and Procedures to Minimise Ad Misplacement

Evidence includes:

• Making available documented brand safety policies and procedures which will include:
• • How inclusion/exclusion lists are created and maintained and;
  • How content is reviewed and flagged as brand safe, for example by use of a CV tool, AI or moderation.
  • Policies and procedures around anti-piracy, including the use of an anti-piracy tool if applicable

6. Employ Pirate Mobile App Filtering

For Intermediaries and Direct Buyers only*.

*Important: TAG can provide you with the Pirate Mobile App List within your TAG Member Portal log in. However, the use of this list alone is not sufficient to meet the requirements and in-house filtering must also be applied.

7. Employ Pirate Domain List Detection and Removal

Evidence includes:

• Demonstrating how pirate domain exclusion exists in your current exclusion lists already
• Demonstrating how your chosen CV Tool filters for pirate domains
• Demonstrating the implementation of TAG’s Pirate Domain Exclusion List*
• Walkthroughs of the process for reviewing and adding pirate domains to any exclusion list currently used

*Important: TAG can provide you with the Pirate Domain Exclusion List within your TAG Member Portal log in. However, the use of this list alone is not sufficient to meet the requirements, and in-house filtering must also be applied.

8. Define & Identify Key Roles & Resources

Companies must define and identify the internal roles and resource(s) responsible for responding to any incidents of ad misplacement due to brand safety issues or piracy. These could be an individual or a team as well as any tolls used by those individuals or teams.

External roles and resources responsible for responding to any incidents of ad misplacement due to brand safety issues or piracy must also be documented. These are who the internal resources would communicate with for any brand safety or piracy issues.

9. Ensure Inclusion/Exclusion Lists are Reviewed Quarterly

Policies and procedures to maintain any inclusion/exclusion lists must be documented and followed as part of your Internal Quarterly Reviews. The methodology for adding/removing keywords, key-phrases, categories and digital media properties must be provided to TAG.

The TAG Certified Against Fraud (CAF) Requirements

How you comply with the CAF Guidelines is dependent on where your business sits within the digital advertising ecosystem.

Here’s our summary of the key compliance requirements (for the full TAG Guidelines please visit the TAG Anti-Fraud page):

Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Certified Against Fraud Guidelines are consistently followed.

Overview & Examples of Audit Evidence – TAG CAF

1. CAF Training

We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.   

2. Employ Invalid Traffic (IVT) Detection and Removal

All monetised transactions and/or inventory is measured and handled in a manner compliant with a TAG-recognised standard for IVT detection and removal. This includes impressions, clicks, conversions etc. and covers all types of digital inventory.

All inventory handled by a company must be filtered for IVT – including owned and operated media as well as any inventory handled on behalf of a third-party partner.

The type of evidence we may review is:

• Reporting from the accredited tool or ad server showing the blocking of IVT across campaigns
• A walkthrough of your platform showing the implementation and use of the accredited tool or ad server to block IVT as standard
• Policies and procedures detailing how the tool or ad server is used
• If you operate globally or across multiple entities, evidence of how the consistent use of the accredited tool or ad server is achieved such as central monitoring and/or training of relevant teams
• If a Direct Seller relies on intermediary partners for their IVT detection, all of these partners must have been awarded a TAG CAF seal

3. 4. & 5. Filtering

Domain Threat Filtering, Data Centre IP Threat Filtering and App Threat Filtering should be applied across all monetised transactions (including impressions, clicks, conversions etc.) All can be applied pre-bid or post-bid.

• Domain Threat Filtering is the practice of filtering out domains that are identified to have a high risk of being the origin and/or the destination for invalid traffic.
• Data Centre IP Threat Filtering is the practice of filtering out IP addresses that are identified to have a high risk of being the origin and/or destination for invalid traffic.
• App Threat Filtering is the practice of filtering out apps that are identified to have a high risk of being the origin and/or the destination for invalid traffic.

You must have in-house techniques for addressing each of the above. Your chosen accredited tool or ad server may apply a Domain Threat List, Data Centre IP* or App Threat filtering already.

*Important: TAG can provide you with the Data Centre IP List within your TAG Member Portal log in. However, the use of this list alone is not sufficient to meet the requirements and in-house filtering must also be applied.

6. Implement a TAG-Recognised Follow-the-Money Solution

For Intermediary’s only, the TAG-Recognised Follow-the-Money Solution verifies the path of payment. Solutions include (but are not limited to):

• the TAG Payment ID System or
• SupplyChain object and Sellers.json

The type of information we may review is:

• Evidence of the implementation, upload and maintenance of a Sellers.json file
• Evidence that the SupplyChain Object field has been included/populated in bid requests
• Evidence of the implementation of the Payment ID system for a sample of transactions

For additional guidance on how to implement the TAG Payment ID System, please reference the ‘TAG Product Specification for Payment ID System.’

7. Implement and Honour ads.txt and app ads.txt

A Direct Seller must publish an ads.txt file. If that company owns and operates media in the in-app environment, an app-ads.txt file must also be published.

A Direct Buyer must honor an ads.txt and/or app-ads.txt file where published.

An Intermediary must honor an ads.txt and/or app-ads.txt file where published.

The type of information we may review is:

• Evidence of the implementation, upload and maintenance of app-ads.txt files (Direct Sellers)
• Evidence of filtering for (app-) ads.txt authorised inventory in your platform (Buy side Intermediaries)
• Evidence of checking for app-(ads.txt) traffic when buying inventory from technology partners (Direct Buyers)

10. Define & Identify Key Roles & Resources

Companies must define and identify the internal roles and resource(s) responsible for responding to ad fraud events. These could be an individual or a team as well as any tolls used by those individuals or teams.

External roles and resources responsible for responding to any ad fraud events must also be documented. These are who the internal resources would communicate with for any ad fraud events.

11. Employ User Agent Structure for Podcasting Environments

Any company identifying as a Podcast Distribution Player and/or a Podcast Creator must use the following user agent structure for all RSS feeds and audio files;

<app name>/<app version><device info> <osname>/<os version><other info>

Podcast Creators - entities which create Podcast content, and which may work with an agent to monetize Podcast content. 

Podcast Distribution Players (Agents) - defined as entities which own and operate a technology layer which enables the monetization and distribution of podcast content. 

The TAG Certified Against Malware (CAM) Requirements

How you comply with the CAM Guidelines is dependent on where your business sits within the digital advertising ecosystem.

Here’s our summary of the key compliance requirements (for the full TAG Guidelines please visit the TAG Anti-Fraud page):

Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Certified Against Malware Guidelines are consistently followed.

Overview & Examples of Audit Evidence – TAG CAM

1. CAM Training

We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.   

2. Define and Identify Key Roles and Resources

Companies must identify, designate and document the responsible resource(s) on behalf of their partners. Evidence may include Vendor Terms of Service, SLAs and documented business expectations.

3. Define Escalation Process

Define and document processes for assessing malvertising events and determining whether an event is an incident as well as process for escalating malvertising incidents within their companies and with their partners.

4. Employ Effective Malvertising Detection and Removal Services

Applicable to Intermediaries and Vendors only for all advertising assets and landing pages.

Techniques may include:

• Scanning of campaign assets and landing pages
• Real-time detection based on blocklists, code analysis or third-party verification knowledge repositories
• Run-time behavioral analysis

Intermediaries must provide a description of the methodologies used to employ such malware detection and removal services, and a list of vendors used to execute such services.

5. Employ Creative Ad Tagging

Intermediaries must employ ad-creative source tagging for 100% of the ad-creatives the company handles; however, the employment of ad-creative source tagging is only required when an adcreative is delivered via OpenRTB.

How a company meets this requirement depends on which type of intermediary function(s) the company fulfills.

Intermediaries acting as a DSP and/or the source of the ad-creative must declare:

• The company’s name
• The company’s TAG ID
• Creative ID
• Buyer ID

Intermediaries acting as an SSP, Ad Network and/or Ad Exchange must declare:

• The company’s name
• The company’s TAG ID
• DSP ID, or another identifier of the source of the ad-creative
• Creative ID

6. Review Monitoring, Reporting and Post-mortem Processes Semi-annually

Applicable to Intermediaries and Vendors only. The Post-mortem processes should be documented and evidence of the reviews maintained, including any output from post-mortem investigations.

7. Define Post-mortem Processes

Applicable to Buyers, Intermediaries and Vendors only. Define and document the post-mortem processes.

Making use of our FREE marketing support

We want to ensure you get the most value from working with us and achieving your TAG Seal. That’s why we’ve created a suite of FREE supportive marketing tools for you to use. These include:

• Email signatures
• Personalised ads
• PR templates
• Educational powerpoint slides

These will all be provided to you upon completion of your audit. To discuss in more detail please contact Jo.