NEW DELHI — India’s Department of Telecommunications (DoT) has introduced a sweeping set of amended cybersecurity rules designed to combat the sharp rise in cyber frauds and phishing attacks, signaling a more assertive regulatory approach toward the country’s expanding digital ecosystem.
The reforms, notified this week, authorize the creation of a mobile number validation (MNV) platform — a centralized mechanism that allows telecom operators to verify whether a mobile number truly belongs to a specific customer, based on existing know-your-customer (KYC) data.
Officials say the measure plugs a crucial gap in India’s digital infrastructure, where mobile numbers have become the backbone of everything from financial transactions to identity verification. “This will finally ensure that the number linked to a bank account actually belongs to the account holder,” said a senior DoT official.
The MNV platform, slated for rollout in the coming months, will be mandatory for telecom service providers, but voluntary for banks, financial institutions, and other regulated entities seeking to cross-check their customers’ identities.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Industry Concerns and Privacy Debate
The announcement has drawn cautious reactions from India’s technology sector and privacy advocates, who argue that the amended rules risk expanding government oversight into areas traditionally beyond the DoT’s remit.
Several industry associations have warned that the broad language of the rules — which refers to “telecommunication identifier user entities” — could inadvertently extend regulatory control over non-telecom businesses such as fintech companies, e-commerce platforms, and food delivery services, all of which use phone numbers as customer identifiers.
“The concern is about scope and interpretation,” said a cybersecurity policy expert based in Bengaluru. “If the definition isn’t tightly framed, it could allow for indirect monitoring of entities that have nothing to do with telecom operations.”
Officials have pushed back against these criticisms. “The fears are unfounded and based on creative assumptions,” one senior official said. “DoT doesn’t intend to regulate anyone apart from licensed telecom firms. Others can opt in only if they see value.”
Nonetheless, privacy campaigners remain skeptical. They worry that allowing multiple sectors to access or exchange customer verification data — even voluntarily — could compromise the confidentiality of personal information, particularly if oversight and consent mechanisms are weak.
Targeting Fraud and ‘Mule’ Accounts
The government maintains that the initiative’s core objective is to tackle a persistent and costly menace: cyber-enabled financial fraud.
Over the past two years, India has seen a sharp increase in phishing scams, digital impersonation, and “mule account” fraud, where stolen or fake identities are used to open bank accounts for laundering illicit funds. In many cases, these accounts were verified using mobile numbers not owned by the account holders, allowing scammers to evade detection.
A recent parliamentary standing committee on home affairs endorsed the creation of the MNV platform, recommending that it be implemented nationwide in coordination with banks, NBFCs, and fintech platforms. The committee noted that such a mechanism could help “curb the use of mobile numbers in fraudulent or mule accounts.”
Under the new rules, banks and financial institutions will be able to query telecom operators directly through the MNV system to validate a mobile number’s ownership during KYC processes — reducing reliance on customer-supplied information or vulnerable third-party databases.
For unregulated entities, such as e-commerce and delivery services, access to the MNV platform will remain optional and subject to fees, officials said. “This tool is mainly designed for sectors that must comply with regulatory KYC norms,” another DoT official clarified.
Extending Responsibility to Device Makers
Beyond identity verification, the amended rules also broaden the DoT’s powers over telecom hardware, empowering the government to issue directives to mobile phone manufacturers in cases involving tampered or cloned international mobile equipment identity (IMEI) numbers.
Manufacturers may be required to block duplicate IMEIs or refrain from assigning numbers already active in Indian telecom networks to new devices being produced locally or imported. The provision, officials say, is intended to curb the circulation of counterfeit or cloned phones often used in organized cybercrime.
Together, these measures underscore the government’s expanding definition of cybersecurity — one that blends national security concerns with consumer protection in a country where over 1.1 billion mobile users interact daily through digital payments, e-commerce, and online governance platforms.
While the DoT insists that its intent is limited to telecom regulation, the debate over privacy, proportionality, and oversight continues to deepen. As one policy analyst observed, “India’s digital trust architecture is evolving — but the real test lies in ensuring that the cure for fraud doesn’t become a pretext for surveillance.”
