Skip to main content

Customer identity authentication rules

Strong ID checks to help stop scams

To protect your customers from fraud and identity theft, you must follow rules to authenticate their identity.

Multi-factor identity authentication (MFA) processes must be used for all high-risk transactions. This is to make sure the person requesting the transaction is your customer, or your customer’s authorised representative.

These rules are set out in the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022.

Complying with the rules: telco checklist

1. Read and understand the Customer Identity Authentication Determination. It’s your responsibility to know your obligations and comply with them. If you have outsourced arrangements to help you comply, it is your responsibility to make sure they work.

2. Identify high-risk customer transactions. These include:

  • SIM swaps
  • transfers from a post-paid to a pre-paid service
  • transfers of title (also known as change of ownership)
  • adding additional phone service/s to an account
  • activating a service for an overseas customer
  • buying an additional mobile phone
  • blocking an International Mobile Equipment Identity or a Permanent Equipment Identifier.

Depending on the services you provide, you may identify more high-risk transactions than just those listed above.

3. Implement MFA for high-risk customer transactions. An example of MFA where a requesting person initiates a high-risk customer transaction is:

  1. an account username and password, and
  2. a unique verification code or secure link, sent to the customer’s mobile number or validated mobile application.

An example of MFA where a telco initiates a high-risk customer transaction is:

  1. calling the customer using the phone number listed on their account, and
  2. asking the customer to confirm their name.

4. Provide details to the customer about the authentication process. When a unique verification code or secure hyperlink is used in an MFA process, it must include a message advising the customer:

  • a high-risk customer interaction has been initiated for their telecommunications service
  • not to share the unique verification code or secure hyperlink
  • what they can do if they did not initiate the interaction.

5. Identify and protect your at-risk customers. Implement systems to identify customers at risk from fraud and offer them fraud mitigation protections, such as:

  • sending them notifications when a change to their account is requested
  • flagging their account to show they are high-risk
  • using certain channels to complete MFA
  • pausing some transactions
  • only sending notifications to their authorised representative.

These fraud mitigation protections must also be provided to customers who believe they are at risk from fraud.

6. Alert your customers. Let customers know that MFA will be used for all high-risk transactions. Also let them know they should report any suspicious actions to you and their bank.

7. Keep records to demonstrate compliance for at least 1 year.

Back to top