Category: Compliance

A mobile number is supposed to be personal. But what happens when it isn’t?

A number gets deactivated. The telecom provider reassigns it. Now, someone else has access to messages, calls, and possibly sensitive financial details that weren’t meant for them. 

Meanwhile, banks and fintechs continue sending OTPs, approving transactions, and verifying users, without realizing the number is no longer in the right hands.

This is why RBI released the new MNRL guidelines on January 17, 2025.

If your operations rely on mobile numbers for customer verification, onboarding, or transactions, you need to comply with these guidelines by March 31, 2025.

If you’re still unsure about what this means, we’ve answered the 11 most common questions below.

Let’s dive in.

The Mobile Number Revocation List (MNRL) is a database of permanently deactivated numbers that financial institutions must check before linking to customer accounts. It’s published on TRAI’s platform every month, with data sourced from telecom operators under DoT’s guidelines.

Think of it as a reference list of numbers that should not be used for financial transactions because they were permanently deactivated. 

Banks, NBFCs, and fintechs must cross-check their customer numbers against MNRL to avoid fraudsters sneaking into their systems.

Ignoring this list means taking a huge risk (e.g., unauthorized transactions, money mules, and regulatory penalties). Financial businesses that rely on mobile authentication can’t afford to skip this check.

Fraudsters have too many tricks when it comes to mobile numbers. Some use SIM swap fraud to intercept OTPs, others register fake numbers with banks, and some exploit old, reassigned numbers to access financial accounts.

Until now, financial institutions had no standardized way to check if a number was permanently deactivated. MNRL provides a centralized list to help them clean up outdated records.

If a bank sends an OTP to a number that has changed hands, the risk of unauthorized access increases. Money moves fast, and reversing fraudulent transactions is nearly impossible.

So, the RBI stepped in. MNRL is now a hard requirement. Financial institutions must verify numbers against MNRL to prevent fraudulent activity and remove flagged numbers from their database.

Anyone handling financial transactions linked to mobile numbers. That includes:

1. Banks (Commercial, Small Finance, Payment Banks, Cooperative Banks)
2. NBFCs (Including lending startups, housing finance, and microfinance companies)
3. Payment Aggregators & Wallets
4. Credit Information Companies
5. Loan and BNPL providers

If mobile numbers are part of customer onboarding, transaction verification, or fraud prevention, MNRL compliance is non-negotiable. 

Even fintech startups running KYC checks must integrate this.

And no, it doesn’t matter if a company is big or small, if it holds a financial license, it must comply.

There are two ways to check numbers against MNRL:

1. Manual lookup: Financial institutions can log into the Digital Intelligence Platform (DIP) and check numbers one by one. Not ideal for businesses with large customer bases. It’s slow and requires constant updates.
2. Automated API integration: The smarter option. Signzy offers an MNRL API that instantly verifies numbers in real time. This lets businesses automate the process and flag risky numbers before they cause trouble.

For high-volume businesses, manual checking isn’t practical. Fraud prevention needs speed, and an API integration removes the human delay.

RBI has set March 31, 2025, as the deadline for financial institutions to implement MNRL compliance. By this date, banks, NBFCs, fintechs, and Payment aggregators should integrate MNRL checks to ensure they are not processing transactions or sending OTPs to deactivated numbers, reducing the chances of account misuse.

The March 31, 2025 deadline is fast approaching, and businesses must act immediately. The quickest way to get everything in place is to automate the process with an API instead of relying on manual checks.

Here’s how to speed things up:

1. Integrate an MNRL API: Use Signzy’s MNRL API to eliminate manual verifications and automatically screen numbers in real time. This ensures flagged or deactivated numbers don’t slip through during customer onboarding or transactions.
2. Run a bulk database check: Cross-check all existing customer numbers against MNRL to remove flagged entries.
3. Update internal workflows: Ensure new customer onboarding and transaction approvals include automatic MNRL checks.
4. Remove disconnected numbers: Fraud and risk teams need to know how to handle flagged numbers and prevent misuse.

Rushing compliance at the last minute creates operational bottlenecks and increases risks. Automating verification now ensures seamless compliance without disrupting business.

Most fraudsters don’t use their real names or IDs. They rely on burner numbers and stolen identities to trick financial institutions.

MNRL helps prevent misuse by ensuring financial institutions do not process transactions using:

• Deactivated numbers that may have been reassigned
• Long-inactive numbers that could be exploited for fraudulent activities

For financial institutions, this means fewer fake KYC approvals, fewer hacked accounts, and fewer fraudulent transactions.

A flagged number should be immediately blocked from being used for banking, credit applications, or payments. Without this check, businesses are basically inviting fraudsters to exploit their system.

RBI has set strict penalties, and financial institutions that ignore MNRL risk:

• Telecom restrictions: Banks or fintechs that keep using risky mobile numbers may have their telecom resources (SMS/call services) suspended for up to 2 years, per  TRAI’s commercial communication rules. That means no customer outreach, no OTPs, no transaction alerts.
• Regulatory action: Institutions that fail to clean up their databases may face audits, penalties, or even restrictions on business operations.
• Fraud liability: If a fraud happens due to an unverified number, the institution could be held responsible. This includes legal consequences, financial losses, and brand damage.

Most fintechs and banks run on trust. Customers won’t think twice before switching if they feel their data or transactions aren’t secure. As a result, MNRL compliance becomes necessary.

No. RBI has enforced strict numbering rules to eliminate fraud calls and scams. Banks and NBFCs can no longer make transactional or promotional calls from random 10-digit mobile numbers.

Here’s how calls must be handled:

• Service & Transactional Calls: Must come from the ‘1600xx’ series (this will be activated soon).
• Promotional Calls: Must use ‘140xx’ series.
• No regular 10-digit mobile or fixed-line numbers should be used for any official communication.

This prevents fraudsters from spoofing customer care numbers and tricking people into revealing sensitive details.

Every financial institution that relies on mobile numbers for authentication or transactions must comply, including fintechs, lending startups, and payment service providers.

A common misconception is that only large banks are affected. That’s not the case. Even startups offering BNPL (Buy Now Pay Later), microloans, or prepaid wallets need to check customer numbers against MNRL.

This regulation is especially relevant for fintechs, since many of them onboard customers using digital KYC, where fraudsters often exploit loopholes. Many also depend on SMS and call-based authentication, which can be hijacked if numbers aren’t verified. Therefore, yes, MNRL compliance is a must even if you are fintech.

Technically, yes. Practically, it’s a nightmare.

Manual verification involves logging into the DIP platform and checking numbers one by one. This might work for small businesses with a few dozen customers, but for banks, NBFCs, and fintechs handling thousands or millions of transactions, manual checks don’t scale.

Here’s why API integration is the only logical choice:

• Verification checks: API solutions validate numbers before transactions or onboarding.
• Automated monitoring: The system can continuously screen customer databases for newly flagged numbers.
• Faster fraud prevention: Fraudsters move fast. An automated system catches them before they cause damage.

For high-volume businesses, manual checks are slow, error-prone, and impossible to maintain at scale. An API automates this seamlessly, running checks in real time without disrupting operations. 

Signzy’s MNRL API enables financial institutions to automate verification, ensuring customer numbers are screened against the latest MNRL dataset. This helps businesses prevent fraud, maintain clean databases, and stay compliant without manual intervention.

To know more about Signzy’s Mobile Number Revocation List API, book a demo here.