DoT notifies amended cybersecurity rules; Introduces mobile number validation platform to curb fraud

The Department of Telecommunications (DoT) has reportedly notified amended cybersecurity rules aimed at tackling the rise in cyber fraud despite concerns from the tech industry that the new framework may be too broad and risk infringing on consumer privacy. The rules will apply only to licensed telecom operators, while entities such as banks, financial institutions, and insurance companies can voluntarily opt in.

A key feature of the new framework is the creation of a mobile number validation (MNV) platform, which will allow verification of mobile numbers against know-your-customer (KYC) details held by telecom operators. The platform, set to launch in the coming months, will help banks and fintech companies confirm that mobile numbers linked to accounts belong to legitimate holders, thereby reducing fraud.

Currently, no legal mechanism ensures that phone numbers linked to bank accounts are verified to the actual user. The amended rules fill this gap by establishing a system through which entities can confirm mobile number ownership directly with telecom providers.

While e-commerce companies and food delivery platforms are not covered under the mandatory framework, they can also use the MNV service by paying a fee if they wish to verify user numbers.

Meanwhile, some industrialists have criticised the rules as being overly expansive, arguing that they could compel any entity using phone numbers for customer identification to share user data, potentially compromising privacy. Further, the MNV platform has received support from the parliamentary standing committee on home affairs, which recommended nationwide implementation in coordination with banks, NBFCs, and fintech firms to curb the use of mobile numbers in fraudulent or mule accounts.

Additionally, the revised rules empower the government to direct phone manufacturers to assist in identifying tampered devices using duplicate International Mobile Equipment Identity (IMEI) numbers. Manufacturers may also be required to ensure that IMEIs already active in Indian telecom networks are not reassigned to new devices, whether locally made or imported.