In a major step toward strengthening India’s digital communication security, the Telecom Regulatory Authority of India (TRAI) has issued a new Direction requiring mandatory pre-tagging of all variable fields in SMS content templates used for commercial communication. Announced through Press Release No. 133/2025 on 18 November 2025, the mandate aims to plug loopholes that fraudsters have increasingly exploited to insert harmful links and numbers into registered SMS templates.
SMS remains one of the most trusted communication channels for banks, government departments, financial service providers, and essential service platforms. However, the rising sophistication of phishing campaigns and unregistered spam messages has become a significant threat to users. TRAI’s new directive is a targeted measure to safeguard consumers and reinforce the ecosystem of trusted communications.
What Are Variable Components in SMS Templates?
Commercial SMS templates consist of largely static text with certain dynamic fields—referred to as variables—that change per user or per communication. These may include:
- URLs
- Application download links
- Callback phone numbers
- Account-specific information
While the static portion of a template is vetted and approved by Access Providers, the untagged nature of variable components has allowed malicious actors to inject fraudulent links or numbers without being detected.
What Does TRAI’s Direction Require?
Under the new rule, every variable field must be pre-tagged at the time of template registration. This means principal entities (PEs) must clearly specify the purpose of each variable—such as tagging it as #url#, #callback#, or #applink#—before the template is approved.
Pre-tagging allows Access Providers’ automated systems to:
- Identify the type of content contained in each variable
- Verify whether the inserted value belongs to a whitelisted domain, link, or number
- Scrub content more accurately and prevent insertion of unauthorized information
Without such tagging, scrubbing tools cannot differentiate between legitimate and suspicious variables, creating opportunities for fraud.
Why This Change Was Necessary
TRAI highlighted evidence from multiple investigations into unsolicited commercial communication (UCC), showing that the absence of predefined tagging has been repeatedly exploited in phishing and fraud attempts. Fraudsters have used approved templates to embed unregistered URLs, harmful links, or deceptive callback numbers—leading to financial loss, data breaches, and other forms of cyber harm for unsuspecting users.
Mandatory pre-tagging ensures traceability, accountability, and complete visibility for regulators and telecom operators, closing a critical vulnerability in the current system.
Compliance Requirements for Access Providers and PEs
- All principal entities must update and re-register existing SMS templates with appropriate pre-tagging within 60 days.
- After the compliance window expires, any message sent using a non-compliant template will be rejected and will not be delivered.
This deadline underscores TRAI’s seriousness in tightening security across digital messaging channels.
Strengthening Consumer Trust in Digital Communication
The new Direction further reinforces the safeguards under the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, which form the backbone of India’s anti-spam framework. By bringing clarity and control to variable fields in SMS templates, TRAI aims to significantly curb unauthorized commercial communication and restore user trust.
As digital interactions continue to expand across banking, governance, and essential services, this proactive step from TRAI marks a pivotal moment in securing India’s communication infrastructure.