India is in the middle of one of the world's most ambitious experiments in tying a citizen's digital life to a single piece of plastic. Under the Telecommunications Act, 2023 and the Telecom Cyber Security Rules, 2024, the Department of Telecommunications (DoT) is steadily turning the SIM card into a verified identity token — and using the Sanchar Saathi platform and the Mobile Number Revocation List (MNRL) to cut off not just SIMs that fail Aadhaar or biometric checks, but the bank accounts and UPI handles linked to them.
The intent is legitimate. India loses staggering sums to telecom-enabled fraud each year, and the National Cybercrime Reporting Portal has logged a steep climb in complaints tied to mule SIMs, fake KYC, and spoofed calls. A telecom number in India is no longer just a number — it is the second factor for banking, the handle for UPI, the login for DigiLocker, and the gateway to government welfare. Hardening that gateway is a reasonable policy goal.
But the architecture being built around it is starting to look less like fraud prevention and more like a centrally operated digital kill switch. That is where proportionality concerns begin.
What the new framework actually does
The Telecommunications Act, 2023, which replaced the colonial-era Indian Telegraph Act, gave the Centre broad powers to prescribe identification standards for telecom subscribers and to suspend services on cyber-security grounds. The Telecom Cyber Security Rules, 2024, notified by the DoT, fleshed out the operational layer:
- Telecom operators must verify subscribers against government-issued ID, with Aadhaar e-KYC as the default rail.
- The DoT maintains a Mobile Number Revocation List of disconnected numbers, which is shared with banks, payment system operators, and platforms.
- The Sanchar Saathi portal lets citizens and investigators flag suspicious connections, and gives the DoT a centralised dashboard to push down disconnection orders.
- Numbers flagged as fraudulent, untraceable, or failing re-verification can have their linked bank accounts and UPI handles frozen by the consuming institutions.
Officials have publicly cited the disconnection of millions of "suspicious" SIMs since the framework began rolling out, and the freezing of large numbers of bank accounts pulled from MNRL feeds.
The case for hardening the SIM layer
To be fair to the DoT, the threat model is real. Mule-account economies depend on cheaply obtained SIMs registered against stolen or synthetic identities. Tightening the link between a telecom subscription and a verifiable individual closes off some of the cheapest attack vectors in the South Asian fraud ecosystem. The Reserve Bank of India's repeated warnings on digital-payment frauds and the Indian Cyber Crime Coordination Centre's (I4C) operational data both point in the same direction: the SIM is the soft underbelly.
A proportionate, evidence-based response to that problem is welcome. So is the principle that telecom operators — who profit from the connection — should bear more KYC responsibility.
Where proportionality breaks down
The problem is not the goal; it is the blast radius of the enforcement mechanism.
When a SIM fails re-verification, the consequence is no longer limited to the loss of a phone line. Under the rules, that signal propagates automatically into the financial system: linked bank accounts can be frozen, UPI handles deactivated, and access to government services through OTP-based authentication broken. For a migrant worker, a small trader, or an elderly subscriber whose Aadhaar biometrics fail — a well-documented problem flagged by the Comptroller and Auditor General and multiple field studies — the result is sudden exclusion from work, welfare, and savings.
That is a heavy penalty to impose by administrative action, often without a meaningful hearing.
Fraud prevention that disconnects a SIM is law enforcement. Fraud prevention that simultaneously freezes a citizen's bank account, UPI ID, and welfare access is something closer to a civil death — and it should require a higher standard of due process.
Three concerns stand out:
- No proportionality test: The rules do not visibly distinguish between a SIM that failed a biometric match because of dry fingertips and a SIM provably used in cyber-fraud. The downstream financial action is similar.
- Weak appeal pathway: Sanchar Saathi offers a re-verification request, but there is no statutory, time-bound, independent grievance mechanism comparable to what the Digital Personal Data Protection Act, 2023 imagines for data disputes.
- Function creep risk: The MNRL is becoming a quasi-blacklist consumed by private platforms. Without clear sunset and audit rules, the same plumbing that disconnects fraudsters today can be repurposed tomorrow.
A pro-innovation correction is still possible
India does not have to choose between effective anti-fraud action and a free, open digital economy. A few course corrections would preserve the security benefits while protecting innovation and rights:
- Decouple the telecom disconnection action from automatic financial freezes. Let banks and PSPs make their own risk decisions on MNRL data, with their own customer-notice obligations under RBI rules.
- Publish disconnection statistics and false-positive rates on Sanchar Saathi, the way TRAI publishes telecom performance indicators.
- Create a fast, independent appeals tribunal for MNRL listings, with a statutory turnaround.
- Treat biometric-failure cases as a separate track from fraud-evidence cases, with alternative KYC for genuine users.
India's identity stack — Aadhaar, UPI, DigiLocker, ONDC — is a genuine global success story, and the country's regulators have earned the right to be taken seriously when they say fraud must be tackled at the SIM layer. But that credibility is precisely why the next moves matter. A regime that can silently revoke a citizen's economic life without a hearing is not a stronger digital economy; it is a more fragile one. The proportionate path is to keep the anti-fraud plumbing and add the due-process valves.