The regulatory environment around cellular-based connectivity for IoT is becoming increasingly complex, with new and evolving rules emerging across different countries. Governments and regulatory bodies are introducing stricter requirements related to data privacy, roaming, security, spectrum allocation, cross-border data flows and more. It includes some well-established issues such as permanent roaming, but also new ones for instance around eSIM profile management, or data sovereignty. While these regulations aim to ensure fair competition, consumer protection, and safeguard national interests, they sometimes create uncertainty for both service providers and end users.
One regulatory topic about which there is a changing set of dynamics and a lot of uncertainty is know-your-customer (KYC) processes for IoT SIMs. We recently published a report on ‘The current status of Know Your Customer (KYC) regulations for IoT SIMs’ that provides a detailed analysis of KYC rules and guidelines related specifically to IoT (or M2M) SIMs and eSIMs in more than 30 countries across different regions of the world. The report is helpful for entities looking to understand the KYC regulatory landscape and support compliance for IoT connectivity service providers. This blog post is inspired from the insights drawn from the report and touches upon what IoT SIM KYC means, how is it different from phone SIMs, and suggests a more appropriate KYC approach for regulating IoT SIMs.
KYC, or “Know Your Customer” is a process, often mandated by governments and carried out by businesses, especially, banks and financial institutions, to verify the identity and risk profile of the customer in order to prevent fraudulent activities, ensure the legitimacy of customers and compliance with national and international regulations. In the context of telecommunications, KYC is carried out before activation of telecommunication services – such as provisioning a new mobile phone SIM card, broadband connection or IoT device SIM card. It serves a similar purpose to its use in banking, preventing criminal and fraudulent activities, such as anonymous SIM misuse, text spamming, mobile phishing and financial fraud, and serves as a mechanism for ensuring national security.
The nature of IoT SIMs is slightly different from phone SIMs. Unlike phone SIMs, the customer of IoT SIMs is not always an end-user, it can also be an enterprise managing the SIM for the end-user. For example, in the case of fleet management services, the device may be provided by a fleet management service provider (with connectivity procured from a telecommunications operator), but the vehicle in which it is installed may be owned by the logistics company, or even the driver themselves. The complexity rises further when M2M equipment may be used by several different people, or alternatively there could be more than one such device deployed by a single user. Thus, applying general KYC rules that require verification of the end-user becomes complex in the case of IoT SIMs. Furthermore, the scale of deployments can also be potentially huge, with IoT deployments involving thousands to millions of SIM-enabled devices (for example, smart meters, alarms, cars, etc.), making it difficult to manage associated customer data for the stakeholders.
The main goal of introducing KYC in telecommunication laws was to limit the possibility of anonymous SIM card use for various forms of fraudulent activities. But, as IoT SIMs have limited functionality, they don’t pose a similar threat from a point of view of combating scams. What started as a phone SIM-only policy can become detrimental to the growth of cellular IoT ecosystem and slow down the next phase of digitalisation. Stricter KYC regulations can become challenging especially in the case of SIMs used in devices that are meant for export. Many manufacturers produce connected devices (for example, smart meters, connected cars, and wearables) embedded with IoT/M2M SIMs for global markets, and it may not be feasible to get KYC details of the end user to whom the device is sold.
The majority of governments around the world have made KYC mandatory for either prepaid or postpaid mobile phone connections, or both. But when it comes to IoT SIMs, very few countries have formalised the guidelines and rules around it. Middle Eastern countries (particularly, the United Arab Emirates and Qatar) and Asian countries (including China and India) have more detailed and defined rules compared to North American and European countries. The majority of countries around the world still haven’t thought about the policy particularly for IoT SIMs and might be extending the same stringent mobile phone SIM policies to IoT SIMs. A future blog post will explore the status of rules around the world.
As mentioned, the end user traceability aspect of KYC for regular cellular services is not always feasible in the case of IoT SIMs but that doesn’t mean these SIMs should be left unverified. A light-touch framework for IoT SIM KYC could be introduced for selected or mission-critical services, enabling SIM traceability when required, particularly in countries with high crime rates. United Arab Emirates has taken such an approach: IoT service providers must maintain subscriber information for mission critical IoT services. On similar lines, there can be requirements for KYC of selected IoT SIMs that are voice-enabled or have a telephone number associated with it, basically SIMs that can be responsible for carrying out fraudulent activities.
Many countries do not have well defined KYC rules for SIM cards or eSIMs used in IoT connected devices due to a range of reasons such as rapid technological change, involvement of multiple stakeholders, diversity of use cases, low risk compared to telephony SIMs, and more. Therefore, the rise of IoT is likely to prompt more clarity on the KYC regulatory landscape in the near future. In many countries, same phone KYC rules are carried over to IoT SIMs which are not threat prone as phone SIMs. Ideally, there should be a different and well-defined framework for IoT SIMs that doesn’t restrict the market from growing.
