SMS Fraud Crackdown: New Rules For OTP, Banking SMS—TRAI’s Pre-Tagging Mandate Explained
Under the new rules, commercial SMS senders must tag each variable during template registration, specifying its purpose.
The Telecom Regulatory Authority of India (TRAI) has directed access providers to enforce pre-tagging of all variable components, like links or numbers, in SMS content templates for commercial communication. This move is aimed at ensuring that commercial messages are properly verified before reaching recipients.
“Variable components typically include elements such as URLs, application download links, or callback numbers that may change from recipient to recipient or time to time, while the rest of the message text remains static,” the Ministry of Communications said in an official release on Tuesday.
Under the new rules, senders must tag each variable during template registration, specifying its purpose: for example, #url# for a URL. By validating each variable field in commercial SMS before transmission, the initiative aims to prevent misuse of digital messaging channels used for sending one-time-password (OTP), banking transactions and other financial services.
“Unless these variable fields are pre-tagged, access providers cannot identify or scrub them to determine whether the inserted values are from whitelisted domains, numbers, or links. Pre-tagging, therefore, becomes essential for automated identification and scrubbing of variable fields,” the statement added.
How The New Rules Will Help
According to the Ministry, evidence from multiple investigations shows the absence of pre-defined tagging has been routinely exploited for fraudulent and phishing activities. It allowed unregistered or malicious URLs, app links and callback numbers to bypass detection in approved SMS templates.
“The direction aims to further strengthen the anti-spam and anti-fraud framework by ensuring complete visibility of variable fields in SMS and enabling access providers to apply stringent content scrubbing,” it added.
With mandatory pre-tagging, principal entities (PEs) must categorise and register these variable components upfront, making them traceable and accountable. Providers can then automatically check these tagged variables against approved lists (whitelisted domains or numbers) before delivery. This ensures enhanced security of commercial messaging. It targets fraudsters who insert harmful links and callback numbers to deceive users, often leading to financial fraud, data theft.
Under the revised rules, access providers are required to update all existing SMS templates within 60 days. After this compliance period, any messages sent using non-compliant templates will be rejected and will not be delivered.
