The Telecom Regulatory Authority of India (Trai) has revised its earlier proposal on consent-based sharing of mobile subscribers’ KYC data, saying the policy environment has evolved to make such a system more practical with the introduction of new cybersecurity rules and an official mobile number validation mechanism.
In a communication to the Department of Telecommunications (DoT), Trai said the government should create “a data sharing and consent management framework on the lines of DEPA framework for consent-based sharing or validation of telecom subscriber KYC data, including during number portability.”
The regulator has cited fresh provisions under the Telecommunications Act, 2023, and the Telecommunications Cyber-security (Amendment) Rules, 2025 — particularly the rollout of the Mobile Number Validation (MNV) platform, which allows authorised entities to digitally confirm whether a mobile number is genuinely linked to the user claiming it.
MNV acts as a backend identity check, letting authorised entities verify a phone number’s linkage without revealing or transferring the subscriber’s KYC file. It merely confirms whether the number-user pairing is correct, making it a privacy-preserving authentication tool.
Trai’s updated view comes after DoT expressed concerns that its 2022 proposal might conflict with rules designed to prevent fraudulent SIM porting. The Department had returned two of TRAI’s sub-recommendations, saying “consent-based sharing of KYC data with the recipient operator, at the time of porting, is not feasible,” and noting that full KYC is already required by the receiving operator.
Trai, however, clarified that it was not proposing direct handover of subscriber KYC files between operators. Instead, it referred to a proof-of-concept conducted on the government’s Data Intelligence Unit (DIU) platform, where demographic details submitted to a new operator were electronically matched against the old operator’s records — without any KYC data being transferred.
“This matching process has avoided direct interchange of KYC from one operator to another, which is in accordance with the prevailing licensing conditions, while serving the purpose of matching the demographic details,” TRAI said.
The regulator also underlined that mobile numbers have become a core identity credential across government portals, banks, fintech firms, and private service providers.
“Trai considered that mobile numbers are being increasingly used to fulfil KYC norms by various government and private institutions, including financial and banking institutions. Since there is no centralised institutional mechanism in place today, each institution devises its own KYC fulfilment norms in its own way,” it said.
Trai reiterated its recommendation to align telecom data portability with India’s Account Aggregator (AA) network — the framework used for consent-based financial data sharing. As the DoT did not object to that aspect, the regulator has retained it in the revised submission.
The DEPA (Data Empowerment and Protection Architecture) framework, initially drafted by NITI Aayog, seeks to shift data control from organisations to individuals, building what it calls a “human-centric” data ecosystem.