Who pays for trust? Unpacking DoT’s MNV framework and gaps

What began as a tool to bolster telecom cybersecurity may ultimately saddle businesses with compliance costs and expose users to privacy risks. The Department of Telecommunications' proposed Mobile Number Verification (MNV) platform hints at a regulatory model where the private sector bears the brunt, while the financial and informational rewards accrue elsewhere.

Recently proposed amendments to the Telecommunications (Telecom Cyber Security) Rules, 2024 seek to regulate “telecom identification user entities” (TIUEs)—essentially any business that uses mobile numbers or other telecom identifiers to provide services or identify users.

Under the envisaged MNV framework, a TIUE may, either voluntarily or upon government direction, place a request to validate whether a mobile number provided by a user matches telecom service providers’ (TSPs) databases. The goal: verify mobile number ownership. However, given the sweeping definition of a TIUE, the government could mandate even non-telecom entities to participate in the MNV platform. This raises concerns over regulatory overreach and significant privacy and financial implications for the broader digital ecosystem.

Privacy Protection and Its Blind Spots

The proposed cybersecurity amendments acknowledge the principle of ‘purpose limitation’ by stipulating that the MNV platform should only be used to validate users linked to a telecom identifier, and only for services tied to that identifier. However, they remain silent on the equally critical principle of ‘data minimisation’. It is not yet clear whether the validation process will yield a simple binary response or also disclose additional personal information, such as the user’s name or address.

This lack of clarity could result in the platform being misused by malicious actors seeking to mine or profile user data. The absence of mandated data minimisation, therefore, poses a substantial risk to user privacy.

The amendments also require both TIUEs and TSPs to comply with the Digital Personal Data Protection Act, 2023. While this alignment is notable, there is little clarity on implementation. For instance, what happens if a user declines consent for a validation check initiated voluntarily by an online platform? This raises two critical questions: Can a digital service provider deny access if the user opts out of validation? And would such a refusal be used to draw adverse inferences, potentially affecting the user’s access to services or their treatment on the platform?

Weighing the Financial Burden on Businesses

Beyond privacy concerns, the MNV framework introduces a pay-per-verification model with fees ranging from Rs 1.50 to Rs 3 per request. While seemingly modest, these costs can quickly escalate if user verification is done at scale and frequency. For large digital platforms, this could mean a significant outlay—one likely to be passed on to consumers.

If this results in users losing access to free or freemium platforms, it could undermine the government’s larger objective of promoting digital inclusion. Additionally, charging for what is positioned as a voluntary validation process may disincentivise participation, defeating the platform’s core purpose of combating cyber fraud through broad uptake.

The revenue model appears designed to support the MNV platform’s operational costs, with proceeds shared between the government and TSPs. Given the vast number of businesses that would fall under the TIUE category, this could translate into a substantial revenue stream. Yet, no oversight mechanisms are currently in place to govern the collection, distribution, or utilisation of these funds, raising questions around transparency and accountability.

A Broader Regulatory Comparison Raises Flags

India’s legal ecosystem already permits private entities to authenticate user credentials for a fee, but typically within clearly defined and regulated frameworks. The MNV platform, by contrast, lacks essential guardrails.

For example, under the Aadhaar (Payment of Fees for Performance of Authentication) Regulations, 2023, KYC-user agencies pay between Rs 0.50 and Rs 5 per authentication request. TSPs that use e-KYC to obtain demographic data, for instance, are charged Re 1 per request.

Similarly, regulated entities in the banking, financial services, and insurance sector are permitted to verify a customer’s PAN card through authorised agencies. This process includes a fixed, reasonable fee structure that allows entities to confirm a PAN’s validity and match it with the individual’s name and date of birth.

While the MNV platform mirrors this pay-per-verification structure, it departs significantly in two critical respects. First, Aadhaar and PAN authentication are limited to a narrow group of regulated entities performing compliance-specific roles. The MNV model, however, places no such threshold: any business can pay to validate mobile numbers, regardless of industry, function, or regulatory requirement. Second, whereas Aadhaar and PAN systems return only limited information, the scope of data disclosed via MNV remains undefined—raising alarms about potential data overreach.

The Draft National Telecom Policy, 2025, further reiterates the government’s intent to introduce an MNV service “for providing a secure telecom space to other services sector entities like banking, insurance, social media, e-governance, etc., for prevention of misuse of telecom resources for cyber frauds”.

The aspiration to create a robust MNV framework is, in principle, commendable. However, its current design raises significant concerns, including financial setbacks for businesses, as well as far-reaching privacy issues for the average digital customer. This merits thoughtful reconsideration of the Proposed Cyber-Security Amendments before implementation.

Nagaraj is a Partner and Verma is a Senior Associate at Shardul Amarchand Mangaldas & Co.
(The views expressed are those of the authors and do not reflect those of the organisation they work with.)