The story so far: On August 17, seeking to further tackle the menace of cybercrimes and financial fraud, Union Minister for Telecommunications Ashwini Vaishnaw introduced two reforms. These entail revision of norms for bulk procurement of SIM cards and registering the final point of sale (PoS) by the licensees (or providers). The reforms are meant to strengthen the citizen-centric portal Sanchar Saathi that was launched in May this year with the same objective.
What is Sanchar Saathi?
Broadly, the citizen-centric portal allows citizens to check the connections registered against their names, block mobile phones which are stolen or lost, report fraudulent or unrequired connections and verify the genuineness of a device (before a purchase) using the IMEI (International Mobile Equipment Identity). It utilises two modules, namely, the Central Equipment Identity Register (CEIR) and the Telecom Analytics for Fraud Management and Consumer Protection (TAFCOP).
Sanchar Saathi has, till date, analysed 114 crore active mobile connections. Of these, 66 lakh connections were flagged as suspicious, and 52 lakh connections were disconnected because they failed re-verification. Other than this, 66,000 WhatsApp accounts have been blocked and 8 lakh bank/wallet accounts used by fraudsters were frozen. Furthermore, as per the DoT, more than 300 FIRs have been filed against more than 1,700 dealers.
What is the latest reform about PoS about?
From now on, it would be mandatory for franchisee, agents and distributors of SIM cards– all PoS—to be registered with the licensees or the telecom network operator. The onus would be on the operator to carry out an “indisputable” verification of the PoS. Importantly, police verification (of the dealer) is mandatory.
Further, the formal agreement for the sale of SIM cards between the PoS and licensees must be put down in writing. Existing SIM card providers have been given 12 months to comply with the registration requirements.
If the PoS is found to be involved in any illegal activity, the agreement would be terminated with the entity being blacklisted for 3 years. It would also draw a penalty of Rs 10 lakh.
The DoT holds that these provisionswould help in “identifying, blacklisting and eliminating rogue PoS, from the licensees’ system and provide and encouragement to the upright PoS.” The idea is to minimise instances (and PoS) where dealers have, by fraudulent practices, issued SIM cards to “anti-social/anti-national elements”.
What about bulk SIM cards and their misuse?
Broadly, the latest provisions would replace the system of ‘bulk procurement’ of SIM cards (by businesses, corporates or those meant for specific events) with a system entailing ‘business’ connections — sizeable procurement by a registered business entity or enterprise. Elaborating on the premise, Mr Vaishnaw observed that 20% of bulk-procured SIMs were misused. “In the guise of bulk connections, a lot of SIMs would be procured and then they would make automated calls using a SIM-box,” he said. Mr Vaishnaw added that another mechanism entailed using a certain number of SIMs from the bulk procurement to make a certain number of calls, destroying them and then using another batch.
Also read: Govt to discontinue sale of SIM cards in bulk
The latest reforms would endeavour to address these issues. The new norms maintain that though businesses can procure any number of connections, it would be subject to completing KYC requirements for all end-users. In other words, the final user—the executive who would be holding the connection— would have to undergo the KYC procedure. This would help recognise each end user. The SIM would be activated only after successful KYC of the user and physical verification of the premise/address.
In order to prevent the misuse of printed Aadhaar, the provisions mandate that demographic details would need to be captured by scanning the QR code of the printed Aadhaar. Subscribers would also have to undergo the entire KYC procedure for replacing their SIM; for a period of 24 hours, all outgoing and incoming SMS facilities would be barred.
In addition to thumb impression and iris-based authentication as part of the E-KYC process, facial based biometric authentication has also been permitted.
Further, per the norms, in case of disconnection of a mobile number, it would not be allocated to any other customer for 90 days.
What considerations should we be looking at?
Isha Suri, Research Lead at the Centre for Internet and Society (CIS) observed that notwithstanding the notification, it must be examined if the provisions could be properly enforced till the last mile. “The smaller local stores too would be giving out the SIM cards. Thus, it would be essential to determine if they possess adequate infrastructure to carry out the entire process and more importantly have the necessary safeguards while dealing with such sensitive data,” she observes.
The researcher notes that there needs to be greater clarity about the agent’s requirements for acquiring, processing and retention of such data.
Ms Suri also observes that notwithstanding Aadhaar-based KYC requirements that have been around for some time now, issues (relating to frauds) continue to exist. Thus, according to her, it could be the case that, “something (else) does not seem to be working.”
Lastly, according to her, it is essential to strike a balance by “only acquiring the data that is strictly necessary and for the purpose it is being acquired for.”