A new directive issued by the Department of Telecommunications (DoT) requiring online messaging apps such as WhatsApp, Telegram, and Signal to mandatorily bind SIM cards to user accounts, has been welcomed by telecom body COAI as a “landmark step” to prevent cyber fraud.
“Such continuous linkage ensures complete accountability and traceability for any activity undertaken by the SIM card and its associated Communication App, thereby closing long-persistent gaps that have enabled anonymity and misuse,” Lt. Gen. Dr. S.P. Kochhar, director general, Cellular Operators Association of India (COAI), said in a statement on Monday, December 1.
The industry body, which counts Indian telecom majors such as Bharti Airtel, Reliance Jio, and Vodafone Idea as its members, further urged the DoT and the Reserve Bank of India (RBI) to ensure that all financial transactions should mandatorily be authenticated through SMS OTP.
Claiming that telcos have undertaken several measures to curb scam/spam calls and SMSes, the COAI pushed for the DoT to ensure that app-based communication services also implement “maximum possible mitigation of risks for subscribers across all communication channels.”
The DoT has said that the new directive is meant to address rising digital fraud in the country. While telcos have backed the move, OTT communication platforms are expected to push back against the new requirements – setting the stage for yet another industry showdown. The Indian Express has reached out to Meta, Telegram, Signal, and Zoho for comment.
Digital rights advocates and other stakeholders have also warned that the SIM-binding mandate could lead to erosion of users’ privacy, create hurdles for people travelling abroad, and complicate access for those who use messaging platforms across multiple devices, especially in professional set-ups.
Why is this happening?
Currently, apps like WhatsApp verify a user’s identity by sending a one-time password (OTP) to their mobile number or scanning a QR code (in the case of WhatsApp Web). This allows users to continue accessing the platform on devices that do not have a SIM card. However, according to the DoT, this has made it difficult to track cyber fraudsters and prevent scams that involve hijacking a user’s account.
Story continues below this ad
“… it has come to the notice of Central Government that some of the app based communication services that are utilising mobile number for identification of its customers… allow users to consume their services without availability of the underlying SIM within the device… posing challenge to telecom cyber security as it is being misused from outside the country to commit cyber-frauds,” the DoT said.
What does the directive say?
Drawing its powers from the Telecommunication Cybersecurity Amendment Rules, 2025, which were notified in October this year, the DoT has brought digital service providers under its oversight by classifying them as telecommunication identifier user entities (TIUEs).
A TIUE is defined as “a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning, or delivery of services.”
In its notices sent to TIUEs such as WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, and Josh, the telecom department ordered these platforms to ensure, within the next 90 days, that SIM cards remain continuously linked to user accounts.
Story continues below this ad
For companion web instances, these platforms are required to ensure users are logged out periodically (not later than 6 hours) and must offer an option to relink accounts through a QR-code-based method. Platforms will also have to send a compliance report to the DoT within the next four months.
What is SIM binding? How effective is it?
Several Unified Payment Interface (UPI) apps and banking platforms already enforce active-SIM rules to prevent fraud. Earlier this year, the Securities and Exchange Board of India (SEBI) proposed the binding of trading accounts to SIM cards along with mandatory biometric and facial recognition checks, in order to ensure that only the actual trader could access their account.
However, experts have pointed out that SIM-binding may not be as effective in curbing digital fraud since scammers can always bypass KYC norms and procure SIM cards using mule accounts or forged IDs. The directive has also drawn criticism because it leaves several questions unanswered, such as what happens when a user upgrades their SIM from 4G to 5G, switches devices, or replaces a damaged SIM card.
