Telecom Regulator TRAI Revises KYC Data Sharing Proposal, Cites New Cybersecurity Rules

The Telecom Regulatory Authority of India (TRAI) has revised its earlier proposal regarding the consent-based sharing of mobile subscriber Know Your Customer (KYC) data, making it more practical and viable in the current policy environment. This update is attributed to the introduction of new cybersecurity rules and the development of an official mobile number validation mechanism.

In a communication to the Department of Telecommunications (DoT), TRAI recommended establishing a "data sharing and consent management framework" akin to the Data Empowerment and Protection Architecture (DEPA) for the consent-based sharing or validation of telecom subscriber KYC data, including during the process of mobile number portability.

TRAI cited new provisions under the Telecommunications Act, 2023, and the Telecommunications Cyber-security (Amendment) Rules, 2025. Crucially, the rollout of the Mobile Number Validation (MNV) platform is a key enabler. The MNV platform allows authorized entities to digitally confirm if a mobile number is genuinely linked to the individual claiming it, acting as a privacy-preserving authentication tool. It verifies the number-user linkage without requiring direct transfer or exposure of the subscriber's full KYC details.

This revised stance addresses concerns previously raised by the DoT, which had expressed reservations that the 2022 proposal might clash with rules aimed at preventing fraudulent SIM porting. The DoT had returned sub-recommendations, stating that direct consent-based sharing of KYC data with recipient operators during porting was not feasible.

TRAI clarified that it is not advocating for a direct handover of KYC files between operators. Instead, it referenced a successful proof-of-concept on the government’s Data Intelligence Unit (DIU) platform. In this test, demographic details submitted to a new operator were electronically matched against the old operator’s records without any actual KYC data transfer. This matching process aligns with licensing conditions while effectively verifying demographic information.

The regulator emphasized the growing importance of mobile numbers as a core identity credential used across government portals, banks, and fintech firms. As mobile numbers increasingly serve as a primary KYC fulfillment method for various institutions, TRAI reiterated its recommendation to align telecom data portability with India's Account Aggregator (AA) network framework, which is designed for consent-based financial data sharing.

Impact
This development can significantly streamline customer onboarding and verification processes for telecom operators, while enhancing data privacy and security. It may also pave the way for more integrated digital identity solutions across sectors. The move towards consent-based data sharing aligns with global trends and promotes a more user-centric digital ecosystem.

Rating: 7/10

Explanation of Difficult Terms:

• KYC (Know Your Customer): A mandatory process for businesses to verify the identity of their clients, typically to prevent fraud, money laundering, and other illicit activities. For mobile subscribers, it usually involves submitting identity and address proofs.
• TRAI (Telecom Regulatory Authority of India): The statutory body that regulates the telecommunications sector in India.
• DoT (Department of Telecommunications): A department under the Ministry of Communications of the Government of India responsible for the policy and development of telecommunications.
• MNV (Mobile Number Validation) platform: A system that allows authorized entities to digitally confirm if a mobile number is correctly linked to the user, without disclosing sensitive KYC data. It verifies the association between a number and its claimed owner.
• DEPA (Data Empowerment and Protection Architecture): A framework, initially drafted by NITI Aayog, designed to give individuals more control over their data, promoting a "human-centric" data ecosystem where data sharing is consent-based and secure.
• Account Aggregator (AA) network: A framework in India that allows individuals to securely share their financial data from various institutions (like banks, mutual funds, insurance companies) with financial information providers (FIPs) based on their explicit consent.
• SIM Porting: The process where a mobile subscriber can switch to a different mobile network operator without changing their existing mobile number.
• Demographic details: Information relating to the statistical characteristics of human populations, such as name, address, age, and date of birth, used for identification and verification.