On 23 December 2025, the Australian Communications and Media Authority (ACMA) quietly amended one of the country's most consequential identity rules: the Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Determination 2017. The change lets telcos verify a customer's identity at SIM activation using an accredited Digital ID — a government-backed digital wallet linked to credentials such as a driver's licence or Medicare card — instead of relying solely on a physical document check. On the same day, ACMA issued Telstra a formal warning for activating more than 18,000 prepaid services between November 2024 and February 2025 using a third-party verification method that the rules did not then permit.
The two events tell a single story. The 2017 Determination, made under the Telecommunications Act 1997, has required providers to obtain a customer's name, address and date of birth and verify identity before switching on a prepaid SIM. But it locked telcos into a narrow set of approved methods. Telstra's breach was not fraud or consumer harm — ACMA expressly found none — but the use of a perfectly reasonable accredited identity service that the instrument simply hadn't anticipated. The December amendment fixes exactly that gap.
The case for binding SIMs to verified identity
The strongest argument for tightening SIM-to-identity links is concrete and not easily dismissed. A prepaid SIM activated on a forged or stolen document is the entry point for SIM-swap attacks, account-takeover fraud, and scam call centres that churn through anonymous numbers. Australians reported $2.18 billion in scam losses in 2025, according to the ACCC's National Anti-Scam Centre, with phone-based contact remaining one of the highest-loss channels. Knowing that a real, verifiable person stands behind every active number raises the cost of industrial-scale fraud and gives investigators a thread to pull. Regulators in India and Malaysia have moved in the same direction for the same reason, and the policy logic is sound on its own terms.
We take that case seriously. The question is never whether fraud matters — it plainly does — but whether a given intervention is proportionate, targeted, and respectful of the people who are not criminals.
Why ACMA got the design right
Measured against that test, the December 2025 amendment is close to a model reform. Three features stand out.
- It is permissive, not mandatory. The rule adds Digital ID as an accepted method. It does not force any consumer to hold a Digital ID, nor does it strip away the existing document-based pathway. A person who declines to use the government wallet can still walk into a store with a passport.
- It is additive, not centralising. Australia's Digital ID system is built on a decentralised, accredited-provider model under the Digital ID Act 2024, with the Australian Government Digital ID System (AGDIS) opening to private-sector relying parties from December 2026. Verification can happen without telcos retaining a pile of scanned licences — reducing, rather than enlarging, the honeypot of identity documents that breaches like Optus (2022) and Medibank exposed.
- It is friction-reducing. Faster, cleaner activation is a genuine consumer benefit, not a regulatory cost dressed up as one. The Telstra episode shows telcos were already reaching for better verification tools; the rule now lets them.
This is what proportionate regulation looks like: expand the menu of compliant options, target the actual fraud vector, and avoid conscripting the entire population into a single mandatory system.
The risk lives in the 2026 review
ACMA has flagged that it will "progress a holistic review and update of the Prepaid Determination as a priority in 2026." That review is where the real policy choices will be made — and where the temptation to overreach is greatest.
The line to hold is between enabling Digital ID and mandating it. A rule that says telcos may accept Digital ID is pro-consumer. A rule that says every SIM must be bound to a verified government identity, with no anonymous or document-only path, is a different animal: it converts a fraud-prevention tool into a population-wide identity register attached to the most personal device most people own. That invites function creep — today fraud, tomorrow content age-verification, location tracking, or law-enforcement convenience — and it disproportionately burdens the people least able to navigate digital systems: domestic-violence survivors who need separation from a traceable identity, rural and elderly users, and recent arrivals without a full credential set.
Mandatory SIM-identity binding also has a poor international track record. Universal registration mandates from Pakistan to parts of Africa show that the most determined fraudsters migrate to black-market and stolen credentials while ordinary users absorb the friction and surveillance exposure. The marginal fraudster is deterred; the organised one adapts.
A standard for the review
Australia should treat the December 2025 amendment as the template, not the floor. Three principles would keep the 2026 review proportionate:
- Preserve optionality. Keep at least one non–Digital ID pathway to activation, so identity verification never becomes de facto mandatory enrolment in a government wallet.
- Minimise retention. Favour verify-and-discard architectures over telco-held document stores; the best identity check is one that leaves no breach-worthy residue.
- Tie any expansion to evidence. New obligations should be justified by measured fraud reduction, not assumed deterrence — and sunset-reviewed against the scam-loss data ACMA and the ACCC already publish.
The December amendment shows Australian regulators can solve a real problem without reaching for a national identity mandate. The 2026 review is the test of whether they will keep that discipline.