RBI Introduces Regulations on Prevention of financial frauds perpetrated using voice calls and SMS

February 11, 2025
Prevention of financial frauds

By Anuradha Gandhi and Rachita Thakur

Introduction

On January 06, 2025, the Supreme Court in the case of State Bank Of India v. Pallabh Bhowmick & Ors. upheld banks’ liability for unauthorized transactions in a customer’s account. The fraud occurred when the customer attempting to return an online purchase received a call from a fraudster impersonating the Customer care executive of the store. The fraudster deceived him into downloading an app, leading to unauthorized withdrawals.[1] The increased reliance on mobile numbers for the purpose of authentication of user identity has made them vulnerable to misuse by fraudsters, enabling various types of online and other scams.

To mitigate these risks, the Reserve Bank of India (RBI) on January 17, 2025 released a circular laying down the Regulatory prescriptions and institutional safeguards.

Key Highlights of the Circular

  1. Applicability: This circular shall be applicable to all regulated entities including:
    • Commercial Banks (including Regional Rural Banks, Small Finance Banks, Payment Banks, and Local Area Banks)
    • Primary (Urban) Co-operative Banks
    • State Co-operative Banks
    • District Central Co-operative Banks
    • Prepaid Payment Instrument Issuers
    • Non-Banking Financial Companies (including Housing Finance Companies)
    • Credit Information Companies
    • Payment Aggregators
    • Payment Systems Participants & Payment System Providers[2]
  2. Updating of Customer Data: The Regulated Entities shall use the Mobile Number Revocation List (MNRL) available on the Digital Intelligence Platform (DIP) developed by Department of Telecommunications (DoT) to monitor and clean their customer database.[3]
  3. Monitoring and Prevention: The Regulated Entities shall develop Standard Operating Procedures (SOP) incorporating:
    1. Updating the registered mobile number (RMN) after due verification
    2. Enhanced monitoring of accounts linked to these revoked mobile numbers for preventing the linked accounts from being operated as Money Mules and / or being involved in cyber frauds, etc.[4]
  4. Share Registered Customer Care Numbers with the DoT: The Regulated entities shall furnish verified details of their authentic customer care numbers to Digital Intelligence Platform or on the DoT email i.e., adg.diu-dot@gov.in[5]
  5. Publication of Registered Customer Care Numbers: Department of Telecommunications shall publish the list of verified customer care numbers of the Regulated Entities on the “Sanchar Saathi” portal at https://sancharsaathi.gov.in/
  6. Standardized use of Number Series: RBI advices the Regulated Entities to use a standardized numbering series based on the purpose and objective of the communication.
    • Transactional and Service Calls – ‘1600xx’ Numbering series
    • Promotional Calls – ‘1400xx’ Numbering series[6]
  7. Compliance with TRAI Guidelines on Commercial Communication: RBI advices the Regulated entities to ensure compliance with the TRAI guidelines for Curbing Unsolicited Commercial Communications and the present circular latest by March 31st[7]
  8. Compliances for Senders under the TRAI UCC Guidelines: The RBI circular brings the Regulated Entities within the definition of ‘Senders’ which is defined by the TRAI regulations to include Banks, Mutual Funds, Insurance Companies, Mutual funds, Stockbrokers, other Financial Institutions, Corporates, Enterprises, SMEs, big and small businesses, and any entity who wishes to send commercial communication to its existing or prospective customers. Senders shall comply with the following regulatory obligations:
    • Registration: Sender shall register themselves with any of the Telecom Service Providers (TSPs) on DLT platform.[8]
    • Use of Specific Numbering Series: Senders shall use only ‘140/ 160’ numbering series for making commercial voice calls. ‘140’ numbering series shall be used specifically for promotional calls and ‘160’ numbering series shall be used specifically for transactional and service calls.[9]
    • Registration of Voice and SMS Headers: Sellers shall register their Voice and SMS Headers (i.e. indicators in 140 and 160 series) with any of the Telecom Service Providers (TSPs) and send the commercial communications through voice and SMS to the customers using such registered Headers only.[10] They shall register only minimum required number of Headers [11]and shall review and re-verify, on a periodical basis, all Headers registered by them and surrender or close unused Headers.[12]
    • Registration of Content Templates: Senders shall get their message Content Templates registered with the Telecom Service Providers.[13] They shall register only minimum required number of Content Templates and shall review and re-verify, on a periodical basis, all Content Templates registered by them and surrender or close unused Content Templates.[14]
    • Classification of Headers: At the time of registration the senders shall classify every Header as a ‘Temporary’ or ‘Permanent’ Header.[15]
    • Form of Content Templates: Senders shall ensure that minimum variable parts are used in the Content Templates as Variables are prone to misuse.[16] The Sender shall pre-tag these variable parts for the purpose they are intended to be used and no information other than those defined in the pre-tagging[17] shall be included in the variable parts and only whitelisted URLs/Apks (Applications)/ OTT links/Call back numbers shall be included.[18]
    • Mode of sending Commercial Communication: Senders shall engage only Registered Telemarketers (RTMs) or establish the direct connectivity with the Telecom Service Provider to send commercial communication.[19]
    • Digital Consent Acquisition Service: Onboard the Digital Consent Acquisition (DCA) system deployed by Access Providers for the acquisition of digital consent of the customers and integrate the same with their systems/processes.[20]
    • Maintenance of Confidentiality and Prevention of Misuse: The Senders shall be responsible for maintaining the confidentiality and security of their customer’ data, prevention of misuse and leakage.
    • Corrective Measure in case of breach of Confidentiality: The Sender shall take corrective or remedial measures in case of misuse or leakage of such data.[21]
    • Vicarious Liability of Sender: Senders shall be responsible for the misuse or leakage of data by Registered Telemarketers engaged by them and their employees, agents, representatives, associates etc.[22]
    • Chain between Sender and Access Provider: Senders shall ensure that there are minimum number of aggregator-Registered Telemarketers, preferably not more than one or two, in the chain between the Sender and the Access Provider. [23]
    • Preference of Direct Connection: Preferably, Sender shall have direct connectivity with Access Provider(s), to eliminate any Telemarketer in the chain.[24]
    • Transparency: Sender shall disclose the entire chain of Registered Telemarketers between it and the Access Provider.[25]
    • Duty to report to Law Enforcement Agencies: Senders shall report to ‘Law Enforcement Agencies (LEAs)’/ ‘Agencies dealing with Cybercrime’, in case of misuse or leakage of Headers, Content Templates, Customer Data, etc.[26]
    • URL Shortening: Sellers shall not use URL shortening service without mention of entity extension[27]
  9. Effect of Non-Compliance: Failure to comply with these regulations shall result in:
    • Disconnection of all telecom resources of the Sender for a period up to two years.
    • Sender may be put under the blacklist category for the disconnection period during which no new telecom resource shall be provided to them by any telecom service provider.[28]
  10. Awareness: Sender shall inform its customers regarding their rights including blocking of commercial communication in part or in entirety along with their right to register complaint in lieu of violations of their rights.[29]

[1] 2025 LiveLaw (SC) 22

[2] https://website.rbi.org.in/web/rbi/-/notifications/prevention-of-financial-frauds-perpetrated-using-voice-calls-and-sms-regulatory-prescriptions-and-institutional-safeguards?p_l_back_url=%2Fweb%2Frbi%2Fsearch%3Fq%3Dfraud%26type%3Dcom.liferay.journal.model.JournalArticle%26type%3Dcom.liferay.portal.kernel.model.Layout%26togs%3Dexact%26orderBy%3Dnewest

Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.

[3] Circular – Para 2(a)

[4] Circular – Para 2(a)

[5] Circular – Para 2(b)

[6] Circular – Para 2(c)

[7] Circular – Para 3

[8] Annexure – Para A(a)(1)

[9] Annexure – Para A(b)(1)

[10] Annexure – Para A(b)(6)

[11] Annexure – Para D(a)

[12] Annexure – Para D(a)

[13] Annexure – Para A(d)(1)

[14] Annexure – Para D(a)

[15] Annexure – Para D(b)

[16] Annexure – Para D(c)

[17] Annexure – Para D(d)

[18] Annexure – Para D(e)

[19] Annexure – Para A(e)

[20] Annexure – Para B(c)

[21] Annexure – Para C(a)

[22] Annexure – Para C(a)

[23] Annexure – Para C(c)

[24] Annexure – Para C(d)

[25] Annexure – Para C(e)

[26] Annexure – Para C(g)

[27] Annexure – Para D(f)

[28] Annexure – Para E

[29] Annexure – Para F

More Articles

  1. Pink Tax – Reinforcing Gender Disparities
  2. Phone-Model-Based differential Pricing: A New Trend in India’s Ride-hailing Platforms
  3. Ensuring Student Privacy in Education: Compliance with the Digital Personal Data Protection Act, 2023
  4. DPDP Rules to be notified by April
  5. AI in Financial Sector: Ethical use and Legal frameworks
  6. Adapting cookie strategies: ensuring compliance and building trust in a privacy driven world
For more information please contact us at : info@ssrana.com