The Telecom Regulatory Authority of India (TRAI) has issued a new Direction requiring all Access Providers to enforce mandatory pre-tagging of variable fields in SMS content templates used for commercial communication. The move aims to stop the growing misuse of dynamic SMS elements—such as URLs, callback numbers, and app download links—by fraudsters exploiting untagged template fields.
Why Pre-Tagging Has Become Necessary
Commercial SMS templates typically include a mix of static text and variable components—fields that may change based on the user or context. These variables can include:
- URLs
- Application download links
- Callback and helpline numbers
- OTP-related dynamic fields
- Transaction-specific links
Until now, these variable fields were not required to be predefined or categorised, enabling scamsters to insert malicious URLs or unregistered numbers into otherwise approved templates.
TRAI’s investigations into Unsolicited Commercial Communication (UCC) cases reveal that the absence of tagging was a persistent loophole enabling phishing, data theft, impersonation, and financial fraud.
What the New Direction Requires
Under the revised compliance mandate:
- Every variable field in an SMS template must be explicitly pre-tagged at the time of registration with Access Providers.
- Variable fields must indicate their purpose — e.g.,
- #url# for site links
- #callback# for phone numbers
- #downloadlink# for app-related URLs
- Principal Entities (PEs) must categorise and declare each variable’s intended use.
This tagging makes the variable traceable, visible, and scrubbable by Access Providers before delivery.
How This Helps Prevent Fraud
Without pre-tagging, automated systems cannot identify whether a variable contains:
- A non-whitelisted URL
- A fraudulent callback number
- Dangerous or phishing content
With mandatory tagging:
- Access Providers can apply advanced content scrubbing rules.
- Only pre-approved, whitelisted URLs and numbers will pass through.
- Any attempt to insert unauthorized or malicious content gets blocked instantly.
- Principal Entities become more accountable for every element sent via their templates.
This ensures stronger protection against:
- Phishing
- Financial scams
- Personal data theft
- Trojan app downloads
- Impersonation of banks, e-commerce platforms, or government agencies
Compliance Timeline for Industry
- Access Providers and Principal Entities must modify all existing templates within 60 days.
- After the compliance window ends, any message sent using a non-compliant template will be rejected by the system.
This transition period ensures that all registered templates in the ecosystem are sanitised and updated with pre-tagged variables.
Strengthening TCCCPR 2018 Safeguards
This initiative is aligned with the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, and represents a major leap in:
- Consumer safety
- Fraud detection
- Secure digital communication
- Trust in commercial SMS channels
The Direction is expected to substantially reduce misuse of messaging templates widely used by banks, financial institutions, e-commerce platforms, government departments, and other service providers.
Conclusion
TRAI’s mandatory pre-tagging of SMS variables marks a significant regulatory intervention to eliminate loopholes exploited by cybercriminals. By ensuring that every dynamic field is verified before transmission, the Authority aims to restore trust in SMS-based communication, which remains a cornerstone for OTPs, alerts, and essential service notifications across India.