Prevention of financial frauds perpetrated using calls and SMS

Prevention of financial frauds perpetrated using voice calls and SMS – Regulatory prescriptions and Institutional Safeguards

The proliferation of digital transactions, while offering convenience and efficiency, has also led to a surge in frauds, a pressing concern underscoring the need for concerted action. The mobile number of a customer has emerged as a ubiquitous identifier, instrumental in account authentication and verification process, receiving sensitive payment communication, such as OTPs, transaction alerts, account updates, etc. The mobile number, however, can also be misused by scamsters in multiple ways for committing various types of online and other frauds.

2. With a view to mitigate the potential misuse of mobile numbers, Regulated Entities (REs) are advised to:

1. Utilize the Mobile Number Revocation List (MNRL)¹ available on the Digital Intelligence Platform (DIP) developed by Department of Telecommunications (DoT), Ministry of Communications, Government of India to monitor and clean their customer database. To enhance fraud risk monitoring and prevention, the REs are advised to develop Standard Operating Procedures (SOP) incorporating the required action to be taken including, inter alia, updating the registered mobile number(RMN) after due verification; enhanced monitoring of accounts linked to these revoked mobile numbers for preventing the linked accounts from being operated as Money Mules and / or being involved in cyber frauds, etc.
2. Provide the verified details of their customer care numbers to DIP for enabling DoT to publish them on the “Sanchar Saathi” portal (https://sancharsaathi.gov.in/). The details may be shared on the DoT email [email protected]
3. Undertake transactional / service calls only using ‘1600xx’ numbering series, when operationalized; undertake promotional voice calls only through phone numbers using ‘140xx’ numbering series; follow the “Important Guidelines for sending commercial communication using telecom resources through Voice Calls or SMS” issued by Telecom Regulatory Authority of India (TRAI) and annexed to this circular. REs are also advised to undertake awareness measures in this regard through emails, SMS and other modes, including in vernacular languages.

3. All REs are advised to ensure compliance with the above instructions expeditiously, in any case not later than March 31, 2025.

Annexure

Important Guidelines for sending commercial communication using telecom resources through Voice Calls or SMS (as elucidated by TRAI)

To curb Unsolicited Commercial Communications (UCC) through voice calls or messages using telecommunication services, Telecom Regulatory Authority of India (TRAI) has issued Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR-2018) and several Directions under these Regulations. As per the provisions of the above Regulations, the Senders of Commercial Communication (Transactional/ Service/ Promotional communications) – such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers – are required to fulfil prescribed regulatory requirements. Senders are also referred to as Principal Entities (PEs). Some of the important regulatory requirements are given below.

(A) Registration on DLT Platform

(a) Registration of Senders

1. All Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall get themselves registered with any of the Telecom Service Providers (TSPs) (referred to as ‘Access Providers’ in TRAI Regulations) on DLT platform under TCCCPR-2018 regulations before sending any commercial communications through voice calls or messages using telecommunication services.
2. No business or legal entity, which is not registered on DLT platform under TCCCPR-2018, shall send any commercial communication or cause such communications through voice calls or messages using telecommunication services.

(b) Use of ‘140/ 160’ numbering series for making commercial voice calls

1. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall use only ‘140/ 160’ numbering series (or any other Numbering Series allocated/ assigned by DoT/ TRAI in future for the purpose) for making commercial voice calls.
2. At present, ‘140’ Numbering Series is operational and is allocated only for making promotional voice calls. Therefore, Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall use only ‘140’ numbering series for making promotional voice calls to their customers or prospective customers.
3. The assignment and operations of 140 series are being migrated to DLT platform. Existing telemarketers/entities using ‘140’ series shall be required to register their details on their respective Access Provider’s portal once intimated by the Access Provider.
4. ‘160’ series shall be assigned to the Senders exclusively for making transactional and service calls to their existing customers. It shall be assigned through the DLT platform of the Access Providers and implementation of the same is under progress. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing customers) shall use only ‘160’ numbering series for making transactional and service calls to their customers. Senders shall contact their Access Providers for allocation of the ‘160’ number series to them. There shall be no mixing of promotional/upsell/cross-sell/offer-related communication on such transactional or service calls.
5. Use of 160 series for promotional purposes may lead to disconnection of telecom resources to the Senders, in addition to any other action as stipulated in the regulations.
6. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers etc., and other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall ensure that they register their Voice Headers ( i.e. indicators in 140 and 160 series) with any of the Telecom Service Providers (TSPs) and send the commercial communications through voice to the customers using such registered Voice Headers only.
7. Senders shall not use any other 10-digit fixed line/ mobile number for making promotional/Service/transactional voice calls to their customers, either directly or through their employees or channel partners, DSAs, BPO partner, in-house or outsources Call Center etc.

(c) Registration of Headers for sending SMS messages

1. Any commercial communication can only take place using registered Headers assigned to the PEs (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) for the purpose of commercial communications.
2. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall ensure that they register their SMS Headers with any of the Telecom Service Providers (TSPs) and send the commercial communications through SMS to the customers using such registered SMS Headers only.

(d) Registration of Content Templates

1. Senders are required to get message Content Templates also registered with the Telecom Service Providers.
2. These Content Templates typically have fixed and variable components. Fixed part of content is that part of Content Template which is common across all commercial communications sent to different recipients (customers of Banks etc) for same or similar subject. Variable part of Content (referred as Variables) is that part of Content Template which is specific to the particular transaction for a particular recipient (customers of Banks etc) or may vary for different customers on account of reference to name, address, date, time, place, balance, transaction amount, quantity, count or unique reference number etc.

(e) Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall ensure that they send their commercial communications by engaging only Registered Telemarketers (RTMs) or establish the direct connectivity with the Telecom Service Provider for this purpose.

(B) Use of Digital Consent Acquisition (DCA) service for acquiring Digital Consents of customers for sending Commercial Communication

1. DCA facility, established by Telecom Service Providers under TCCCPR-2018 Regulations, enables the acquisition of digital consent of the customer to receive commercial communication over SMS or voice from a Sender for a specific purpose. Digital Consents are recorded on DLT platform by the Access Provider after its verification by the subscriber through a simple and transparent process using OTP.
2. The Digital consents recorded on DLT system through DCA enables Senders to send promotional communications over SMS and voice to its customers who have opted to block all promotional communications through DND registration. Consents obtained by the Senders through any other mechanism are not treated valid under TCCCPR-2018 Regulations.
3. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication that requires obtaining explicit consent from its customers) shall onboard the Digital Consent Acquisition (DCA) system deployed by Access Providers for the acquisition of digital consent of the customers and integrate the same with their systems/processes.

(C) Action on the part of PEs to maintain Confidentiality and Security of Data related to Commercial Communication and Prevention of Misuse/ Leakage thereof:

1. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) are responsible for maintaining the confidentiality and security of their customer’ data/information, prevention of misuse/ leakage thereof, and taking corrective/ remedial measures in case of misuse/ leakage of such data/ information by any person authorized by them or otherwise, to handle such data/information including RTMs engaged by such Senders and their employees, agents, representatives, associates etc.
2. A Registered Telemarketer (RTM) who is an intermediary collects the information such as PE-ID (ID of Senders/ Principal Entities such as Banks, generated on DLT), Header ID, Content Template IDs, customer information, etc. from the Sender and it may travel through a series of such TMs (known as Aggregator-TMs) before it reaches to the last TM (referred to as ‘Delivery-TM’ in TRAI Regulations) before reaching the Access Provider.
3. In order to maintain confidentiality of data, Senders shall ensure that there are minimum number of aggregator-RTMs (preferably, not more than one or two) in the chain between the Sender and the Access Provider.
4. The Senders (PEs) – particularly Banks, Mutual Funds, Insurance Companies, and other Financial Institutions – should preferably have direct connectivity with Access Provider(s), to eliminate any TM in the chain.
5. As per the Direction of TRAI, a facility is being developed by the Access Provider to bind the message flow from the Sender to the Access Provider’s network as per a pre-defined chain of TMs between the Sender and the Access Provider in the DLT platform. Once this is operational, the Sender shall be required to declare the entire chain of Registered Telemarketers between it (Sender) and the Access Provider.
6. Senders shall incorporate appropriate provisions in their Agreement(s)/ Contract(s) with RTMs, as a deterrent against misuse/ leakage of Headers, Content Templates, Customer Data, etc. by the RTMs and in no case engage Unregistered Telemarketers using 10 digit fixed/mobile numbers or even unregistered headers and templates if they are not registered with any Access Provider’s DLT portal.
7. Senders shall immediately disable such Headers/Templates temporarily and also report to ‘Law Enforcement Agencies (LEAs)’/ ‘Agencies dealing with Cybercrime’, in case of misuse/ leakage of Headers, Content Templates, Customer Data, etc as it may lead to frauds in the name of the Sender/PEs. The responsibility of such misuse/leakage will lie on the Sender and onus of reporting to the LEAs and appropriate action against the miscreant TM will be on the Sender.

(D) Measures to curb misuse of Headers and Content Templates

1. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall register only minimum required number of Headers and Content Templates and shall review and re-verify, on a periodical basis, all the Headers and Content Templates registered by them and surrender/ close unused Headers and Content Templates. The Headers are not likely to be used frequently and may be kept in temporarily blocked conditions to avoid any chances of their misuse.
2. Senders shall classify every Header, at the time of registration, as a ‘Temporary’ or ‘Permanent’ Header, as the case may be. All the ‘Temporary’ Header shall be deactivated after the expiry of the time duration for which such ‘Temporary’ Header was registered.
3. Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers) shall ensure that minimum variable parts are used in the Content Templates as Variables are prone to misuse.
4. Further, the Senders shall also pre-tag these variable parts for the purpose they are intended to be used such as date, name, currency, URLs, APL-links, unique registration number etc., and no information other than those defined in the pre-tagging shall be included in the variable parts to prevent misuse.
5. Senders shall ensure that only whitelisted URLs/Apks(Applications)/ OTT links/Call back numbers are there in the message Content Templates.
6. Senders shall not use any URL shortening service or short URLs unless the shortened URL clearly indicates that it has a relation with the Sender, eg. https://bit.ly.com/abcdbank.com/xxxxx i.e, it should contain entity extension.
7. Senders shall ensure that no promotional content is included in the Content Template registered for Transactional/Service type commercial communications.
8. Any mixing of promotional/upselling/cross-selling content shall be deemed to be a promotional template only and treated accordingly. For this purpose, the Senders are advised to carefully and responsibly register their Content Templates, and not leave it to third parties/TMs.

(E) Stringent Provision in the Regulation for its violation-Use of any other10-digit fixed/mobile number other than 140/160 series for making promotional/Service/transactional voice calls by Senders (such as Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication) may result in disconnection of all telecom resources of the Sender for a period up to two years and Sender shall also be put under the blacklist category for that period during which no new telecom resource shall be provided to such Senders by any telecom service provider. Similar action may be taken against the Senders for sending messages without the use of its registered Header(s)and Content Template(s). Misuse of any header of PE to send unintended communication may lead to temporary suspension of PE till such time it reports the incidence to concerned LEA and takes corrective action as per the provisions of the regulations.

(F) Creating Awareness amongst its customers: Senders shall take steps to spread awareness among customers, in local languages as well, about the remedial actions/steps to be taken in various scenarios as follows:

(a) DND Registration: To avoid the inconvenience caused by UCC, a customer can opt to block all commercial communications or can selectively block commercial communications as per preference categories through the Telecom Service Provider’s App/ Website, TRAI DND App, or Call/ SMS to ‘1909’.

(b) Once the 160-series Service/Transactional Calling facility is live, Senders shall widely publicise their 160-series numbers so as to create trust with its customers and eliminate uncertainty and fear amongst them and also lead to better customer response on such calls.

(c) Registration of Complaints

1. In case of receiving spams in spite of registering on DND: Make DND complaint at the respective Telecom Service Provider’s App/ Website, TRAI DND App, or Call/ SMS to ‘1909’.
2. In case of receiving suspected fraud communication: Report any suspected fraud communication received within last 30 days on ‘Chakshu’ platform of Department of Telecommunications (DoT) at https://sancharsaathi.gov.in/sfc/.
3. In case fraud/ cyber-crime has already happened: If customer has already lost money due to financial fraud, or is a victim of cyber-crime, please report at cyber-crime helpline number ‘1930’or website https://www.cybercrime.gov.in.

(G) These guidelines are only for the convenience of the Entities. However, Entities are advised to refer to the TRAI’s website for the applicable Regulations/Directions and Access Providers’ Codes of Practice (CoPs). Link to download TCCCPR-2018 is https://trai.gov.in/sites/default/files/RegulationUcc19072018.pdf.

¹ The Digital Intelligence Platform (DIP) developed by DoT has the availability of Mobile Number Revocation List (MNRL) on real time basis with various categories of disconnected mobile numbers such as mobile numbers (i) taken on fake/ forged documents and failed in re-verification, (ii) involved in cyber-crime/ financial fraud and reported by MHA/ Law Enforcement Agencies (LEAs), (iii) reported by citizens and failed in reverification, (iv) disconnected by Telecom Service Providers (TSPs) based on their fraud analysis/ exceeding limit, (v) reported for misuse by other organizations, and (vi) non-recharge/ no-usage for long time etc.

Notification

Read More on RBI, FEMA, Finance