KYC for Telecom exists because a SIM card is one of the most portable identity artefacts in India. It gets linked to bank accounts, UPI, tax filings, and every OTP-authenticated service a person uses. Weak telecom KYC cascades directly into financial fraud, SIM swap attacks, and identity takeover.
Which is why the Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI) have tightened the framework progressively, with a material update in May 2024 for business and bulk connections, and ongoing reform around self-KYC, video KYC, and Aadhaar-based verification.
This guide explains how telecom KYC actually works in 2026: what the regulatory stack requires, what methods are permitted for new SIMs and business connections, what changed in 2024, and how fraud vectors like SIM swap and deepfake-led V-CIP shape current operational design. For the Aadhaar integration that sits underneath most telecom KYC paths today, our biometric identity verification explainer covers the core mechanics.
The Regulatory Framework for Telecom KYC in India
Three authorities govern telecom KYC, and each plays a specific role.
Department of Telecommunications (DoT) Role
The DoT is the licensor for telecom operators in India, and the Unified Licence conditions specify KYC obligations that operators must meet to keep their licence. DoT updates these conditions through circulars, which carry binding force on licensees and get enforced through licence-renewal conditions and penalty actions. Most telecom KYC changes in the last decade have come through DoT circulars rather than primary legislation.
TRAI’s Advisory and Recommendation Function
TRAI recommends policies to the DoT; DoT decides whether to adopt them. TRAI’s recommendations are non-binding at the moment of issuance but tend to become binding through DoT circulars within 6 to 18 months. TRAI’s 2017 recommendations on Aadhaar-based eKYC and its 2019 recommendations on KYC for direct-to-home and cable services are examples that shaped the current framework through subsequent DoT instructions.
UIDAI and the Telecom Regulatory Ecosystem
UIDAI sits underneath both DoT and TRAI as the infrastructure provider for Aadhaar-based eKYC. The 2018 Supreme Court Aadhaar judgment defined when Aadhaar can be mandatory versus voluntary for telecom KYC, and the current framework treats Aadhaar as one of several accepted Officially Valid Documents rather than the mandatory default. Post-2018, telecom operators retained Aadhaar as an option because of its operational efficiency for eKYC, but they cannot refuse service to a customer who provides an alternative OVD.
KYC Methods Permitted for New SIM Issuance
Four methods are currently permitted for issuing a new SIM card, and each has specific operational constraints.
Aadhaar-Based eKYC (OTP and Biometric)
Aadhaar eKYC remains the most efficient path for telecom KYC where the customer has Aadhaar. OTP-based Aadhaar eKYC returns demographic data from UIDAI after the customer confirms an OTP on their Aadhaar-linked mobile. Biometric Aadhaar eKYC requires a fingerprint or iris scan at a point-of-service and is common at operator retail outlets. Both methods complete in minutes rather than hours.
Digital KYC and Self-KYC via App or Portal
The DoT’s Self-KYC circular from 2021 permits customers to complete KYC through an operator’s app or portal without a physical retail visit. The customer authenticates to the operator, fetches verified documents (typically through UIDAI or DigiLocker), completes a liveness check, and receives the SIM by delivery. This path is now the default for outstation and remote customers. Most operators run their self-KYC flow on top of a DigiLocker integration for document fetch.
Physical KYC With Officially Valid Documents
Customers without Aadhaar or without smartphone access complete KYC at the operator’s retailer with a physical copy of an OVD (passport, voter ID, driving licence, or similar). The retailer captures the document, performs a physical verification of the customer against the document photograph, and submits the activation request to the operator. The retailer bears liability for KYC accuracy, and operators run periodic retailer audits to catch poor-quality KYC at the retail channel.
DigiLocker Integration for Document Fetch
DigiLocker fetch is increasingly embedded inside the operator’s self-KYC flow rather than standing as a separate method. The customer authorises the operator to fetch their Aadhaar and PAN from DigiLocker during the self-KYC session, and the operator verifies the digitally-signed documents on arrival. This is operationally equivalent to Aadhaar eKYC in speed but uses DigiLocker’s signed-document path rather than UIDAI’s demographic-data path, which gives the operator a document artefact to retain.
KYC for Business Connections: The May 2024 DoT Update
Business and bulk connections got their own KYC framework in May 2024, and it materially changes how operators onboard corporate customers.
Entity-Level KYC of the Business
Before the May 2024 update, business connection KYC focused on the authorised signatory’s identity. The revised framework requires entity-level KYC of the business itself: Certificate of Incorporation, GST registration, PAN, and registered address proof must all be verified against primary sources. This closes a gap that bulk-SIM fraudsters had exploited by registering shell entities with weak primary documentation.
End-User KYC for Bulk Connections
Under the revised instructions, each end-user of a business connection must undergo individual KYC, and the end-user demographic information captured during KYC must match the list the business provided when applying for the connections. This creates a double-reconciliation: the business says “these N employees will use these N SIMs”, and the operator verifies each end-user matches the claimed identity. Connections that fail the reconciliation do not get activated.
Re-Verification on End-User Change
When an end-user changes (employee leaves, new employee joins), the business must inform the operator and the new end-user must complete KYC within 7 days. Failure to re-verify within the window is grounds for deactivation of that specific connection. This is a substantial operational lift for businesses with high employee turnover, and most operators now expose self-service portals for business customers to manage end-user KYC at scale.
Re-Verification and Ongoing Compliance
Beyond the initial issuance, telecom KYC has ongoing obligations that operators must satisfy.
Trigger Events for Re-Verification
Re-verification of an existing SIM is triggered by defined events: a reported SIM swap, a Mobile Number Portability (MNP) request with a discrepancy, a fraud flag raised by the operator’s monitoring, or a request from a regulatory or law enforcement authority. Unlike the periodic KYC model for banks, telecom KYC does not have a calendar-based refresh for most customers. The trigger model dominates.
Disconnection and Reconnection Workflow
When KYC compliance fails on an existing connection (end-user change not re-verified, KYC data mismatch discovered in an audit), the operator follows a defined disconnection protocol: advance notice to the customer, grace period for compliance, then disconnection if compliance is not restored. Reconnection requires the customer to complete fresh KYC, which typically happens at the retail channel because of the heightened scrutiny at this stage.
Telecom KYC Fraud Vectors and Defences
Three fraud vectors dominate telecom KYC risk, and the defences are progressively tightening.
SIM Swap and Identity Takeover
SIM swap is where a fraudster uses weak KYC to take over a victim’s mobile number, then uses the number to complete OTP-authenticated takeovers of the victim’s bank accounts, UPI, and other services. The attack vector is almost always a KYC weakness at the port-in or replacement step: the fraudster presents fake documentation and the operator’s KYC process fails to catch it. Biometric re-verification at the point of SIM replacement is the most effective defence, and biometric identity verification at this step has become standard practice at the major operators.
Bulk Connection Misuse
Before the May 2024 update, bulk connections issued to businesses were a common vector for telemarketing fraud and scam calls because the operator’s visibility into end-user identity was limited. The 2024 framework closes most of this gap by requiring end-user KYC per SIM and reconciliation against the business’s declared list. Ongoing misuse now tends to come from more sophisticated vectors: compromised employee credentials, insider threats at the business, rather than bulk-fraud at issuance.
Synthetic Identity and Deepfake in V-CIP
The newest vector is synthetic identity and deepfake attacks on video KYC sessions. A fraudster uses AI-generated faces or deepfake overlays on legitimate video calls to bypass liveness checks during self-KYC. Defensive capability requires liveness checks that detect synthetic faces at the capture step, and for operators with heightened risk exposure, ongoing device fingerprinting and behavioural signals that surface anomalies even after KYC succeeds. Our deepfake examples guide covers the vector types that surface most often in V-CIP.
Building a Telecom KYC Operation
For operators and MVNOs running telecom KYC at scale, two operational dimensions matter.
Point-of-Sale and Retailer Control
The retail channel is where most physical KYC happens, and retailer fraud or carelessness is a primary risk. Controls include agent certification before activation privileges are granted, full audit trails on every KYC completed, geo-fencing of captures against the retailer’s registered location, and periodic performance audits that surface outlier agents with abnormal approval or rejection rates. Most major operators now centralise retailer KYC tooling rather than letting each retailer use their own devices.
Tech Stack for Self-KYC
The self-KYC path requires OCR for document capture, liveness detection for the selfie step, UIDAI and DigiLocker integration for document verification, and a defined fallback path when any of these steps fails. A phone verification API validates the customer’s number before the KYC session starts, catching spoofed or invalid numbers early. Aadhaar card OCR, via an Aadhaar card verification OCR service, handles the cases where DigiLocker fetch is not available.
Where Telecom KYC Is Heading
The direction of travel for telecom KYC is toward tighter real-time verification, stronger biometric authentication at SIM replacement, and ongoing end-user reconciliation for business connections. The May 2024 DoT update is one step; further updates on synthetic identity defence and biometric re-verification at MNP are likely in the next 12-24 months. Operators that build their KYC stack around verifiable document fetch, deepfake-resistant liveness, and event-triggered re-verification will adapt to the next update with minimal engineering effort. Those running legacy self-attested document workflows will not.
To see how HyperVerge helps telecom operators and MVNOs run SIM KYC at scale with Aadhaar eKYC, DigiLocker integration, deepfake-resistant liveness, and business connection end-user reconciliation, sign up for a product walkthrough.
