Transforma Insights recently conducted a study of over 80 regulatory regimes around the world to seek clarification on the know-your-customer (KYC) rules for M2M/IoT SIMs. That research was published in the report ‘The current status of Know Your Customer (KYC) regulations for IoT SIMs’. The report is helpful for entities looking to understand the KYC regulatory landscape and support compliance for IoT connectivity service providers. This blog post summarises the key findings from that report, particularly exploring the status of IoT SIM registration rules around the world.
SIM registration rules for mobile phone SIMs are well established in many countries: for example, 83% of the 83 countries examined in our KYC report have mandatory SIM card registration laws in place for either prepaid or postpaid mobile phone connections, or both. However, when it comes to IoT SIMs, regulatory frameworks are much less mature, with very few countries formalising the guidelines and rules around them. More than 70% of the countries that we examined had no mention of IoT SIMs in their regime suggesting uncertainty and application of mobile-phone SIM rules by default. While some countries are more recently putting effort to revise their telecom regulations to include or exempt IoT/M2M SIMs, many have not yet tailored their KYC/SIM registration regimes specifically for IoT use-cases. This could be variously due to rapid technological change, involvement of multiple stakeholders, diversity of use cases, low risk compared to telephony SIMs, or a range of other reasons.
Out of the 31 countries for which we successfully identified specific IoT SIM registration information, 32% have no mandatory regulation for IoT SIM registration and the remaining have some form of verification rule in place. 26% are lenient for IoT SIMs in comparison to phone SIMs. It is mostly European countries that have lenient rules for IoT SIMs. Leniency, in this context, means that they require IoT SIM registration, but they don’t strictly mandate verification of the ‘end-user’ or physical custodian of the IoT device and allow linkage only with the enterprise managing the IoT service. This is because these SIMs don’t pose a similar threat from a point of view of combating scams and their ownership is slightly more complicating than phone SIMs as they cannot always be linked to an end-user. In our recent blog post ‘IoT SIMs need a different KYC approach to mobile phone SIMs’ we discussed how KYC rules for IoT SIMs are challenging because of ownership complication.
Overall, Asian and Middle Eastern countries are tightening definitions around M2M/IoT services and enforce strict KYC registration for IoT SIMs. For example, In India, end customer details, i.e. the physical custodian of machines fitted with SIMs, are to be maintained by M2M service providers. The graphic below positions different countries based on IoT SIM KYC ‘Strictness’ and ‘Scope’ related to KYC for IoT SIMs. Overall, there is a global trend towards tighter telecom regulations particularly in fraud-prone regions.
Most countries that require IoT/M2M KYC registration allow identity verification of vehicle OEMs (rather than vehicle owners) as they are the ones contracting for connectivity services. China is the only country that has a regulation dedicated to KYC of SIMs in connected cars. In 2021, China’s Ministry of Industry and Information Technology (MIIT) released the Notice on ‘Strengthening the Real-Name Registration Management of Internet of Vehicles Cards’ that mandated both vehicle manufacturers and telecom operators to ensure real-name registration of SIM cards used in vehicles.
While mobile phone SIM registration is well established in most countries, IoT SIM regulation remains underdeveloped, with over 70% of countries lacking specific rules and suggesting uncertainty. European countries generally take a lighter-touch approach, linking IoT SIMs to enterprises without strict end-user verification, whereas Asian and Middle Eastern nations enforce stricter KYC requirements. Overall, there is a global trend toward tighter IoT SIM regulation, particularly in regions prone to telecom fraud.
