Buying a prepaid SIM in Australia in 2026 is no longer a casual retail transaction. It is an identity-linked event, logged, verified, and increasingly cross-referenced against federal digital identity infrastructure. Through 2025 and into 2026, the Australian Communications and Media Authority (ACMA) has continued an aggressive enforcement push under the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, the regulation introduced in the wake of the 2022 Optus breach that exposed identity data belonging to roughly ten million Australians.
Carriers have felt the pressure. ACMA has issued infringement notices, formal warnings, and accepted enforceable undertakings from Telstra, Optus, TPG/Vodafone, and a string of smaller MVNOs over alleged failures to properly verify customer identity before activating or porting SIMs. The 2022 Determination sits atop earlier instruments — the Telecommunications (Service Provider — Identity Checks for Pre-paid Mobile Carriage Services) Determination 2017 and the Mobile Number Pre-Porting Additional Identity Verification Industry Standard 2020 — together forming one of the most prescriptive SIM-identity regimes in any liberal democracy.
The Optus Shadow and Its Long Tail
The policy origin story is well known. In September 2022, Optus disclosed a breach exposing names, dates of birth, addresses, and government-issued ID numbers of millions of current and former customers. The political reaction was swift, and ACMA's 2022 Determination — requiring multi-factor authentication for high-risk transactions like SIM swaps and ports — was a direct response to the SIM-jacking and identity fraud that followed.
The principle is sound. SIM-swap fraud is a real and rising threat globally, and 2FA bypass via hijacked phone numbers can drain bank accounts and compromise critical accounts in minutes. Requiring telcos to verify they are talking to the right human before handing over a number is, on its own merits, a sensible piece of consumer protection.
From Anti-Fraud Tool to Identity Backbone
The problem is the trajectory. The 2022 Determination layered onto pre-existing prepaid identity rules that already required documentary verification at the point of sale. The 2020 pre-porting standard added another verification layer. The cumulative effect: virtually every consumer interaction with a mobile carrier in Australia — activation, porting, replacement, plan changes — is now a verified-identity event, generating records that telcos must retain.
Then came the Digital ID Act 2024, in force from late 2024, which formalised the federal Trusted Digital Identity Framework and the accreditation of identity providers including the government's myGovID (rebranded as myID). Public consultations and policy papers through 2025 have floated proposals to integrate telco customer authentication into this framework — letting carriers verify customers via federal digital ID rails rather than scanning driver's licences.
The efficiency case is real. The civil liberties case for pausing is also real. What is emerging, by accretion rather than design, is a system where:
- You cannot lawfully obtain a working mobile number without identity verification linked to government records.
- That verification is increasingly routed through, or interoperable with, federal digital ID infrastructure.
- The retained records are accessible to law enforcement under existing telecommunications and metadata regimes.
- Private carriers operate the front end under regulatory compulsion, blurring the line between commercial KYC and state identity infrastructure.
The Proportionality Question
Australia has never legislated a general-purpose national identity card. The 1987 Australia Card proposal collapsed under sustained public opposition, and successive governments have been careful to frame digital identity initiatives as voluntary and federated. Yet a mobile number is, for most adults, a functional prerequisite for banking, employment, government services, and authentication into everything else. If you cannot get one without verified identity, the "voluntary" framing wears thin.
Anti-fraud rules that quietly become the gateway to participating in modern economic life deserve the same scrutiny as a national ID card — because in effect, that is what they are becoming.
Pro-innovation policy does not mean opposing identity verification for SIM swaps. It means insisting that proportionate, narrowly targeted measures stay proportionate and narrowly targeted. Three concerns deserve serious legislative attention.
1. Mission Creep Without Mandate
The 2022 Determination is a delegated instrument made by ACMA, not primary legislation debated by Parliament. Stacking it onto the 2017 and 2020 instruments, then integrating with the Digital ID Act, produces a national-scale identity architecture assembled from regulations none of which individually purported to create one.
2. Data Concentration Risk
The Optus breach is the very reason for this regime — and yet the regime requires telcos to collect and retain more verified identity data, not less. Without strong minimisation, encryption, and retention-limit rules, the policy may simply produce larger, more attractive honeypots for the next attacker.
3. Exclusion and Access
Identity-verification regimes systematically exclude domestic violence survivors, homeless Australians, recent migrants, and others without standard documentation. A regulator-led design optimised for fraud reduction will under-weight these access costs unless the framework demands otherwise.
What Sensible Reform Looks Like
A pro-innovation, proportionate path forward would: (i) move the substantive identity-verification mandate from delegated determinations into primary legislation, with sunset and review clauses; (ii) impose strict data-minimisation and short retention windows on verification records; (iii) require explicit parliamentary authorisation before integrating telco authentication into federal digital ID rails; and (iv) build in statutory exceptions and low-friction alternatives for vulnerable cohorts.
Australia's SIM-identity regime is not, in 2026, an authoritarian surveillance system. It is something more familiar and more insidious: a well-intentioned anti-fraud framework drifting into national identity infrastructure without ever being debated as such. The fix is not to roll back consumer protection. It is to call the system what it is becoming, and legislate it deliberately — before the architecture hardens and the question of consent becomes moot.