The Telecom Regulatory Authority of India (TRAI) has announced a significant tightening of regulations for commercial SMS communication by mandating the pre-tagging of all variable fields within content templates. This decisive action, outlined in a Direction dated November 18, 2025, is specifically aimed at closing security loopholes that cybercriminals routinely exploit for phishing, financial fraud, and the insertion of malicious links and unapproved callback numbers.
Historically, SMS templates used for communication by banks, government bodies, and businesses contained variable fields—such as tracking URLs, OTPs, or phone numbers—that changed with each message. TRAI’s investigations revealed that the absence of mandatory tagging on these fields allowed unscrupulous entities to inject unverified or harmful content, bypassing the existing template scrubbing systems used by Access Providers (telecom operators). This has been a recurring source of unsolicited commercial communication (UCC) and major cyber incidents.
To counteract this, the new rules require every variable field in a template to carry a descriptive tag that defines its content type, purpose, and applicable validation rule. Approved tags include specific identifiers like #url# for general web links, #urlott# for app download links, and #cbn# for callback numbers. This ensures that every changeable element in a message is identifiable and verifiable.
The Direction sets a clear timeline for implementation. Within 10 days, Access Providers must approve only new templates that adhere to the mandatory tagging rules. More critically, operators have 30 days to implement and activate the new tag-based validation and scrubbing systems.
For a 60-day transition phase, the system will operate in “logger-mode”: messages will be delivered, but all validation failures will be logged. After this grace period, any commercial message that fails variable validation against a pre-whitelisted list of approved URLs, APK links, or numbers will be rejected and not delivered to the recipient.
Access Providers are also required to enhance accountability by identifying and informing the Principal Entities (the businesses sending the messages) about template failures, necessary corrective actions, and the consequences of continued non-compliance. This strengthens the enforcement framework set by the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018.
By enforcing complete visibility and validation of all variable content before delivery, TRAI expects a drastic reduction in phishing attempts, fraudulent transactions, and misuse of registered messaging channels. This move marks a crucial step in improving the safety and trustworthiness of SMS as an essential communication medium in India’s digital economy. The industry is now focused on the next few months, which will be critical as the new stringent enforcement measures come fully into effec
