The Reserve Bank of India, through Circular No. RBI/2024-25/105 dated 17 January 2025, directed all regulated entities to implement institutional safeguards against financial frauds perpetrated through voice calls and SMS. The circular prescribes a comprehensive framework for mitigating risks arising from unsolicited commercial communications in the financial sector, with a compliance deadline of 31 March 2025.
Background
India has witnessed a sharp increase in financial fraud conducted through unsolicited voice calls and SMS messages, with fraudsters impersonating banks, insurance companies, and other financial institutions to extract sensitive information from customers. The proliferation of digital payment channels has expanded the attack surface, making mobile phones a primary vector for financial fraud.
The Department of Telecommunications had already established the Digital Intelligence Platform (DIP) and the Sanchar Saathi portal to combat telecom fraud. The RBI's circular builds on these infrastructure developments by mandating that regulated entities actively integrate with these systems and adopt standardised communication protocols.
Key Provisions
The circular introduces the following requirements for all RBI-regulated entities, including commercial banks, cooperative banks, NBFCs, and payment system operators:
Mobile Number Revocation List integration: Regulated entities must regularly cross-reference their customer databases against the Mobile Number Revocation List (MNRL) maintained on the Digital Intelligence Platform. Numbers that have been deactivated due to fraudulent activity, identity theft, or prolonged inactivity must be flagged and corresponding accounts placed under enhanced monitoring.
Standardised numbering for communications: All promotional calls by regulated entities must use the designated '140' numbering series. Service calls — including transaction alerts, OTP delivery, and account notifications — must use the '160' series. This enables customers to distinguish legitimate communications from potential fraud attempts.
Customer care registration on Sanchar Saathi: Regulated entities must register their customer care numbers with the Digital Intelligence Platform, which will publish them on the Sanchar Saathi portal. This creates a verifiable directory that customers can consult to confirm whether a call originates from their financial institution.
Customer awareness and reporting: Entities must implement awareness campaigns to educate customers about identifying fraudulent communications and provide accessible channels for reporting suspected fraud.
Implications for Practitioners
This circular has immediate operational implications for the compliance and technology teams of all RBI-regulated entities. The 31 March 2025 deadline requires rapid integration with the DIP infrastructure, database cleansing against the MNRL, and migration of communication systems to the prescribed numbering series.
Legal practitioners advising financial institutions should review existing customer communication agreements and privacy policies to ensure compatibility with the new framework. The mandatory database cross-referencing against MNRL may trigger obligations under data protection principles, particularly where customer accounts are flagged or restricted based on third-party revocation data.
For consumer protection advocates, the circular provides a regulatory basis for holding financial institutions accountable for failing to implement adequate safeguards. Non-compliance with the prescribed measures could be relevant in disputes where customers suffer losses from fraudulent communications that the entity's systems should have intercepted.