TRAI’s latest reply to the Department of Telecommunications’ back-reference marks a pivotal moment in India’s efforts to reconcile mobile portability, telecom KYC, and a consent-first data economy; the regulator has softened the wording of one recommendation while doubling down on a broader, DEPA-style vision that would let subscribers control and port their KYC and related telecom data through an interoperable consent layer across sectors.
Background / Overview
The Telecom Regulatory Authority of India (TRAI) originally recommended in its November 18, 2022 report a set of measures to strengthen India’s data economy, including two closely watched items—recommendations 6.39 and 6.40—calling for a Data Empowerment and Protection Architecture (DEPA)-style framework to enable secure, consented sharing of telecom subscriber KYC for use cases such as mobile number portability (MNP). The Department of Telecommunications (DoT) returned a back-reference (dated in the user-provided material as August 29, 2025) asking TRAI to reconsider those two recommendations on grounds that they may conflict with current MNP procedures and regulatory constraints on transferring customer KYC between operators.
TRAI’s reply, issued publicly on November 17, 2025, accepts that the present MNP implementation and legal contours create immediate constraints, but it points to recent developments—biometric KYC statutory moves under the Telecommunications Act, the rollout of the Mobile Number Validation (MNV) platform, the Digital Intelligence Unit (DIU)-led demographic-matching processes, and draft rules enabling consent-based data disclosure—as evidence the ecosystem is evolving toward purpose-built, consented interchange. TRAI has therefore revised recommendation 6.39 to explicitly promote a
consent-driven, DEPA-like validation and data‑sharing model across telecom use cases rather than a portability-only mechanism, while reaffirming recommendation 6.40 that envisions integrating telecom consent-managed data with the Financial Sector’s Account Aggregator ecosystem to create a unified consent layer for cross-sectoral data flows.
This response is both incremental and ambitious: incremental because TRAI narrows the immediate scope of implementation to consent-anchored mechanisms rather than mandatory KYC handoffs; ambitious because it continues to press for cross-sector interoperability and an economy-wide consent fabric. The rest of this piece breaks down the technical, legal and operational implications, tests the feasibility of TRAI’s preferred path, and evaluates the risks—both to subscribers’ privacy and to telco operations—if the proposals are pursued without careful design and oversight.
Why this matters: the problem TRAI is trying to fix
India’s telecom landscape still relies on repeated KYC verification: when a user opens a new account, ports a number, or seeks credit or other services, each service provider often repeats identity checks. That duplication is costly, friction‑filled for users, and creates many copies of sensitive data across operators and service providers—an attractive footprint for misuse and breaches.
TRAI’s policy thread is centered on three core objectives:
- Reduce duplication of identity verification and associated costs across banks, fintechs and telecom service providers.
- Increase user agency by giving subscribers a way to permit verifiable, time‑bound sharing of their identity records (KYC, UCC preferences, credit-related information).
- Create a structured data economy in which interoperable consent mechanisms enable secure, auditable value flows without wholesale replication of sensitive KYC data.
These objectives are aligned with larger Indian policy moves that emphasize
verifiable consent mechanisms, the emergence of consent-manager frameworks, and sectoral experiments in consent-based data portability. Practical success, however, depends on careful harmonisation of telecom licence obligations, lawful interception and KYC integrity checks with privacy-safe, auditable consent rails.
What TRAI changed — the revised recommendation 6.39 and steady 6.40
Recommendation 6.39 (reworked)
TRAI has reworded the recommendation to make clear that the government should design a
consent-driven data‑sharing and validation framework modeled on DEPA, but applicable not just to MNP, and instead to
a broad set of telecom use cases. The emphasis is explicitly on
validation and consent rather than automated bilateral KYC transfers.
Key elements of the revised approach include:
- A consent manager model that records and enforces user-directed authorisations.
- A validation interface that lets operators or authorised platforms verify subscriber attributes (for example, name, date of birth, photo-match) in real time when the subscriber consents to such checks.
- Design choices that limit raw KYC transfer and instead favor verifiable assertions or tokens—minimising data exposure while preserving the ability to confirm identity.
This rework reflects a practical compromise: it recognises current MNP mechanics and legal obligations but advances a future-proof architecture where consent and validation replace repeated wholesale record transfers.
Recommendation 6.40 (reiterated)
TRAI remains firm on its more forward‑looking recommendation to integrate telecom consent mechanisms with the
Account Aggregator (AA) ecosystem administered under India’s financial architecture. The idea is to make telecom KYC, tariff preferences, usage metadata and credit indicators available under a common consent layer so users can manage cross-sector data sharing from a single consent portfolio.
Why this matters:
- A unified consent layer would reduce verification cost and time for inter-sector services.
- It would enable richer, consented services (credit offers tied to telecom usage patterns, subscriber-controlled portability of preferences).
- It offers an avenue to reconcile telecom identity verification with financial-account identity workflows.
TRAI notes that DoT did not provide substantive reasons for rejecting this integration and therefore reiterates the recommendation. That insistence signals the regulator’s long-term view: identity and consent are systemic infrastructure, not siloed operational conveniences.
The technical building blocks TRAI cites (and how mature they are)
TRAI points to several technical and policy components as evidence the environment is moving toward its vision:
- Biometric KYC mandates under the Telecommunications Act — TRAI references statutory moves that make biometric verification an enforceable component of telecom KYC in some contexts. The presence of biometric requirements can strengthen identity assurance but raises privacy, retention, and security trade-offs that need explicit safeguards.
- Mobile Number Validation (MNV) platform — MNV is presented as a government-led validation utility that can help verify mobile subscriber attributes during onboarding or MNP.
- Digital Intelligence Unit (DIU)-led demographic-matching for MNP compliance — the DIU platform is currently being used for demographic matching in the MNP flow, complying with licence conditions while limiting wholesale KYC transfers.
- Draft rules enabling consent-based data disclosure — emerging rules around consent managers and DPDP‑aligned obligations indicate a policy trajectory toward registered consent intermediaries and auditable consent records.
Some of these pieces (consent-manager registration and a digital-first Data Protection Board regime) are also echoed in broader national data-protection and governance conversations, which emphasize certified consent managers, breach reporting windows, and auditability—policy levers that would be necessary for a DEPA-style telecom rollout. These governance components are discussed in related regulatory analyses that stress registration and headquarters requirements for consent managers, and the necessity for auditable consent trails.
Caveat: while these building blocks exist in nascent forms,
operational maturity varies. DIU/MNV may handle demographic matching today, but converting that to an interoperable, privacy-safe DEPA model requires additional engineering, standards, and legal scaffolding—especially around lawful interception and retention requirements.
Strengths of TRAI’s reworked approach
- Pragmatic pathway: Reframing the recommendation as consent-and-validation-first lowers immediate legal frictions with the MNP process while keeping the endpoint—interoperable, consented exchange—on the roadmap.
- User empowerment: A DEPA-like consent layer puts control in subscribers’ hands, letting them manage who sees what, for how long, and for what purpose. This counters the current state where multiple institutions store identical KYC copies.
- Economic efficiency: Reducing repeat KYC checks lowers operational costs across banks, fintechs and telcos, and can accelerate digital onboarding and service delivery.
- Cross-sector innovation: Integration with the Account Aggregator ecosystem can unlock new financial and product services tied to telecom-derived signals, with consent as the gating mechanism.
These strengths rely on a credible certification and audit regime for consents and consent managers, as well as robust logging and tracing of user authorisations—capabilities that are being discussed in Indian regulatory circles and industry guidance. Implementers will need to instrument consent events end‑to‑end and make those events auditable.
Risks and friction points — why this will be hard
- Regulatory complexity around lawful interception and retention
Telecom licensing regimes carry lawful interception, national security and retention obligations that are stricter than many other sectors. Any mechanism that facilitates cross‑operator KYC interchange must ensure that such legal obligations are not undermined and that access by authorised agencies remains traceable and lawful.
- Fragmentation of authority and overlapping rules
Telecom, finance and data‑protection governance sit with different institutions. Coordinated rulemaking—standard consent schemas, minimal attribute assertions, revocation semantics—will be required to avoid conflicting obligations that stall implementation. India’s evolving DPDP and consent-manager frameworks set expectations (registration, headquarters, auditability), but practical harmonization remains work in progress.
- Security and privacy risks from centralisation or poor design
Any centralised repository or popular validation API becomes an attractive target. Minimising raw-data transfers by using verifiable tokens or assertions rather than full KYC copies mitigates risk, but the system must also handle revocation, expiry, liveness checks and repudiation protections. Runtime protections (BYOK, confidential compute, strict key management) and careful retention rules are necessary to keep decrypted data exposure minimal. Industry analyses emphasise the need for BYOK, audited runtime protections, and strict key-access controls for any system that processes sensitive personal content.
- Operational burdens on telcos
Implementing consent managers, adding verification APIs, instrumenting logs and proving consent provenance will redirect engineering capacity in telcos and banks from traditional network and product work to compliance and governance engineering. This is a non-trivial investment and likely asymmetric: large incumbents can absorb costs more easily than smaller players. Surveys of operational playbooks show that moving compliance from legal memos to engineering features is a material change in budgeting and staffing.
- User experience and consent fatigue
Consent is effective only when it is intelligible and manageable. A proliferation of fine-grained consent prompts can impose cognitive load on users. Well-designed consent managers and standardised purpose categories will be necessary to limit fatigue and to make consent decisions meaningful rather than perfunctory.
Technical design patterns and implementation options
TRAI’s vision can be implemented with multiple technical trade-offs. Below are pragmatic architectures ranked by exposure, complexity, and privacy profile.
- Assertion / Token-Based Validation (Recommended baseline)
- Instead of transferring raw KYC, the originator (operator A) issues a signed, time-limited assertion token that confirms specific attributes (e.g., “KYC verified: name, DOB, UID-hash true as of T”), which the recipient (operator B) can validate cryptographically with the issuer’s public key or via a registry.
- Benefits: reduces raw-data movement, supports minimal disclosure, and is easier to audit.
- Challenges: requires standard token formats, revocation lists and producers willing to vouch for assertions.
- Consent Manager + Validation API (DEPA-style)
- A registered consent manager mediates requests. The subscriber grants time-bound consent using the manager; operators query the manager or a validation API to either receive an assertion or, under strict rules, a limited dataset.
- Benefits: central consent logging, unified UI for users, easier revocation semantics.
- Challenges: consent manager certification, single points of failure, potential centralisation risk if not designed as a decentralised registry.
- Federated Verification with Zero-Knowledge or Privacy Enhancing Techniques
- Use cryptographic protocols (zero-knowledge proofs, selective disclosure) to let a subscriber prove possession of validated attributes without revealing raw data.
- Benefits: very strong privacy guarantees.
- Challenges: higher complexity, slower adoption curve, needs device support and common standards.
- Full Data Portability (Least recommended without strong governance)
- Wholesale transfer of KYC records between operators on user request.
- Benefits: simplest for legacy processes.
- Risks: high exposure, duplicated records increase breach surface, complicated consent audit.
Designers should combine token-based assertions with consent managers and progressive adoption of privacy-enhancing cryptography where feasible. Importantly, logging, audit trails, and revocation capabilities must be built from day one.
Governance, certification and audit — critical non‑technical levers
- Consent manager certification and registration: A national registry and certification process (with minimum security, data-residency and headquarters requirements) can prevent fly-by-night providers from acting as the consent plane. Policy conversations are already entertaining such registration regimes and operational controls for consent managers.
- Standardised consent schema: Uniform categories, purposes and minimal required attributes will reduce user confusion and permit automated policy checks.
- Continuous monitoring and external audits: Trusted third‑party audits and public attestation for consent logs will be essential to maintain trust.
- Breach notification and incident response: Short windows for breach notification and prescribed incident response workflows—already being discussed in DPDP-style rules—are essential complements to the technical design.
- Inter-regulator coordination: A joint working group across DoT, MeitY, RBI (where AA interactions exist), and the DPB (or future DPDP enforcement body) to issue implementable guidance and carve-outs where lawful interception or national security obligations conflict with portability goals.
Consumer impact and UX realism
A well-built consent layer could materially improve user experience:
- Faster porting and onboarding with one-click verified assertions.
- Single dashboard for consented data-sharing decisions across telecom and finance.
- Time- and purpose-bound sharing, including clear revocation.
However, bad UX design risks leaving users overwhelmed or agreeing to broad consents that undermine privacy. Consent managers must prioritise plain-language explanations, one-tap revocation, and an easily readable audit trail of past consents.
Market and strategic implications
- Incumbent advantage vs. innovation: Large telcos and banks with resources to implement certified consent infrastructure could capture the early benefits, while smaller players may struggle to comply without outsourced consent-management services.
- New intermediaries: A market for consent-management platforms, audit and privacy‑engineering providers will likely grow. This is an opportunity for privacy-first middleware vendors.
- Cross-sector competition: Access to telecom-derived assertions (with consent) could create new credit-scoring signals or targeted product flows, changing competitive dynamics among fintechs and banks.
Practical roadmap — staged steps for policymakers and implementers
- Short-term (0–6 months):
- Formalise consent-manager registration criteria and minimum security standards.
- Pilot assertion/token-based validation for a narrow set of MNP scenarios with clear audit trails.
- Publish standard consent schemas for telecom KYC attributes.
- Medium-term (6–18 months):
- Expand pilot to cover additional telecom use-cases (tariff preference portability, UCC preferences).
- Begin interoperability tests with Account Aggregator participants for non‑sensitive metadata flows.
- Require third‑party audits and transparency reports for consent managers.
- Long-term (18+ months):
- Pursue integration with the Account Aggregator network for consented cross‑sector flows with clear legal mapping.
- Introduce privacy-enhancing cryptography for selective disclosure use-cases.
- Institutionalise a joint regulator supervision framework to resolve conflicts across lawful interception, financial compliance, and data protection rules.
This staged approach balances immediate operational constraints with the long-term goal of a consent-first, interoperable data economy.
What remains unverified / cautionary notes
- Several specific claims in the TRAI–DoT exchange—such as the exact legal text of biometric KYC mandates under the Telecommunications Act, or precise technical specifications and deployment timelines for MNV/DIU—require verification against primary government notifications and official TRAI/DoT releases. Independent technical and legal validation of those statutes and platform capabilities is necessary before any large-scale rollout. Where regulatory statures and platform designs are referenced in this analysis, they are drawn from the regulator’s position as described in the provided material and related regulatory briefings; these items should be cross-checked against official gazette notifications and public releases for implementation details.
- The feasibility of integrating telecom validation with the Account Aggregator network at scale hinges on legal mapping across telecom licences, financial regulation and data‑protection rules—an alignment that may require new legislative clarifications or inter-departmental memoranda of understanding.
- Some operational claims about existing platform capabilities (e.g., DIU’s demographic-matching completeness, MNV platform coverage, or readiness of consent-manager vendors) are implementation-dependent and need empirical pilots to validate performance, latency and privacy assurances.
These cautionary notes reflect unresolved implementation complexity rather than a rebuttal of the policy goals; they should guide staged, evidence-driven pilots.
Final assessment and recommendations
TRAI’s reworked stance is strategically sensible: it pares down immediate expectations while preserving the long-term architecture that treats consent as infrastructure. The regulator’s insistence on integrating telecom consent frameworks with wider data-empowerment systems—particularly Account Aggregators—signals a systems-level mindset that treats identity as a cross-sector public good under user control.
For policymakers:
- Fast-track clear, minimum viable technical standards for assertion tokens and consent schemas.
- Mandate certification and registration for consent managers with periodic third‑party audits.
- Create an inter-regulatory protocol for resolving conflicts between lawful-interception/retention obligations and consent-based portability.
For telcos and fintechs:
- Start engineering consent audit trails and consent-provenance logging now; these will be table stakes.
- Participate in pilots that test token-based assertions rather than wholesale data transfers.
- Invest in privacy-enhancing techniques incrementally, beginning with tokenisation and selective disclosure.
For civil society and consumer groups:
- Push for strong default protections: minimal disclosure, short-lived consents, clear revocation paths, and transparent audit logs.
- Seek independent oversight and the ability to audit consent managers and validation providers.
If implemented carefully, TRAI’s approach could shift India away from repeated, siloed KYC checks and toward a more efficient, user-centric data economy. The path is neither quick nor risk-free: it will require coordinated rulemaking, rigorous certification, and a design culture that prioritises minimal disclosure and strong runtime protections. The next meaningful test will be how pilots handle the tension between identity assurance for telecom licences and the privacy-first intent of a DEPA-style consent model—successful pilots will prove the model’s viability; missteps could entrench data duplication and trust deficits that are far harder to unwind.
Conclusion
TRAI’s reply reframes ambition as a phased programme: start with consented validation and assertions, instrument consent properly, and then expand to cross-sector consent integration. The proposal is technically achievable and economically attractive, but its success depends on disciplined governance, technical standards that prioritise minimal disclosure, and a transparent certification regime for consent managers. Policymakers, operators and consumer advocates must now convert principles into interoperable APIs, auditable logs and legally coherent rules—otherwise the benefits of portability and consent will remain aspirational rather than transformational.
Source: Storyboard18
TRAI reworks data-sharing proposal for telecom KYC, reiterates push for broader consent architecture