The proposals are included alongside other draft regulations which were published for public comment by the regulator on Wednesday (23 March).
The regulations define biometric data as the “measurement and statistical analysis of people’s unique physical and behavioural characteristics”.
In practice, this means that fingerprint mapping, facial recognition, retina scans and biometric data could all be tied to a person’s SIM card – and by extension their phone number – going forward.
“On activation of a mobile number on its network, a licensee must ensure that it collects and links the biometric data of the subscriber to the number. A licensee must ensure that, at all times, it has the current biometric data of an assigned mobile number,” the regulator said.
This change will not apply to ‘juristic persons’ such as companies and the biometric data collected must be used for the sole purpose of authentication of a user assigned a mobile number, the regulator said.
If a subscriber requests a SIM swap, the mobile network must ensure that the biometric data of the user requesting the SIM swap corresponds with the biometric data associated with the mobile number.
If the biometric data does not correspond with the biometric data associated with the mobile number, the SIM swap must be declined.
Icasa explained it was introducing these tougher security measures due to ongoing concerns wherein mobile numbers have been hijacked either through a porting and/or SIM swap transaction.
“The hijacking of mobile numbers is a small but integral part of a wider form of fraud where sensitive data is diverted or comes in the control of criminal elements.
“The authority is of the view that the association of mobile numbers with the biometric data of a subscriber will assist to curb the hijacking of assigned subscriber mobile numbers.”
It added that there are several jurisdictions that have linked mobile numbers with biometric data of subscribers thus this form of authentication is in practice and is a possible remedy to ensure that subscribers do not lose control of their assigned mobile numbers.
Fraud is an ongoing problem
The latest South African Banking Risk Information Centre (SABRIC) figures from November 2021 shows SIM-swap incidents increased 91% year on year when looking at digital banking fraud across all platforms.
“The most important thing to recognise is that SIM swaps have a very important part to play in the mobile network industry,” said Lincoln Naicker, product owner at Entersekt, a provider of strong device identity and customer authentication software.
“Mobile Network Operators (MNOs) sit at the centre of an extended ecosystem and impacts many other sectors, not least of all the financial ones. And, although there has been a seismic shift in the technology in mobile apps and other digital channels, the SIM has remained fairly unchanged.”
Naicker has previously raised the possibility of using biometrics as part of the onboarding process to cut down on fraud. Data from the GSMA shows just 8% of countries globally have some biometric enforcement policy in place.
“We need greater cooperation between the mobile network operators when it comes to onboarding. The verification process should be augmented using other technologies such as voice biometrics. If all players could agree on better security at this early stage, we would already have made progress,” he said