PROTETECTION FROM SPAM, UNSOLICITED, FRAUDULENT AND OBNOXIOUS COMMUNICATION REGULATIONS, 2009
[Gazette of Pakistan extra ordinary, Part-II 5th August, 2009]
S.R.O 713 (1)/2009, dated 31-07-2009.—in exercise of powers under clause (o) of subsection (2) of section 5 read with clauses (c) and (m) of sub-section (1) of section 4 of the Pakistan Telecommunication (Re-organization) Act, 1996 (XVII of 1996), the Pakistan Telecommunication Authority is pleased to make the following regulations:–
- 1. Short title and commencement.—(1) these regulations shall be called the ‘Protection form Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009’.
(2) These regulations shall come into force from the date of gazette notification.
- 2. Scope and Applicability.—These Regulations shall apply to all Operators in relations to insuring and protecting the interest of Telecom consumers by preventing them form spam, fraudulent, unsolicited and obnoxious communication as set out in these regulations.
- 3. Definitions.—(1) in these regulations, unless there is anything repugnant in the subject of context,–
(a) “Act” means the Pakistan Telecommunication (Re-organization) Act, 1996 (XVII);
(b) “Authority” means the Pakistan Telecommunication Authority established under section 3 of the Act;
(c) “Do not” call register (“DNCR”) means a database, maintained centrally by the operators containing the particulars of subscribers(s) who make a request the for not receiving the Unsolicited calls;
(d) “Fraudulent Communication” means the transmission of massage/statement which is false and misleading;
(e) “Obnoxious Communication” means the transmission of massage/statement which the intent to cause harassment or disturbance.
(f) “Operator” means holder of a license or registration granted by the Authority;
(g) “Regulations” means all or any regulations issued by the Authority including without limitation, these Regulations.
(h) “Rules” means all or any rules issued by the Federal Government under Section 57 of the Act;
(i) “Spamming” means the transmission of harmful, fraudulent, misleading, illegal or unsolicited messaged in bulk to any person without the express permission of the recipient, or causing any electronic system to show any such message or is being involved in falsified online user account registration of falsified domain name registration for commercial purpose;
(j) “Telephone subscription” means a subscription for fixed or wireless service for the purpose of these regulations;
(k) “Telemarketer” means a person who initiates a call for the purpose of marketing of services, investment and goods to public at large through telecommunication service; and
(l) “Unsolicited calls” means calls made to those numbers recorded in the Do not call register.
(2) Words and expressions used but not defined herein shall bear the meaning given thereto in the Act or the Rules
PROCEDURE TO CONTROL SPAMMING
- 4. Standard Operating Procedures to control Spamming
(1) All Operators shall, with the approval of the Authority, establish a standard operating procedure in connection with—
- Minimum standards of technical measures to effectively control Spamming; and
- Such other matters as the Authority may require:
Provided that the Standard operating procedure established under sub-regulation (1) shall include at a minimum, the requirements as given in Annex-A to these Regulations.
(2) All Operators shall submit the standard operating procedure under sub-regulation (1) above to the Authority for approval within ninety (90) days of the commencement of these Regulations.
Provided that the Operators shall revise the standard operating procedure with the approval of the Authority after every one hundred and eighty (180) days to ensure that all up to date and effective technical measures are being implemented to control Spamming.
(3) In the case where a subscriber opts-in to receive Spamming messages, the Operators shall facilitate it, where applicable:
Provided that all Operators shall ensure that all communication as referred to in sub-regulation (3) shall be received by subscribers within normal business hours.
- 5. Standard Operating Procedure to Control Fraudulent Communication.—(1) All Operators shall with the approval of the Authority, with sixty (60) days of the notification of these Regulations establish a standard operating procedure to control Fraudulent Communication:
Provided that the Standard operating procedure established under sub-regulation (1) shall include at a minimum the requirements as given in Annex-B to these Regulations.
(2) All Operators shall maintain a black list of the subscribers alongwith their complete user antecedents whose subscription has been terminated on account of Fraudulent Communication:
Provided that in the case of more than one instance of indulging in fraudulent activity the subscriber, shall not be eligible for any other cellular mobile service subscription. An updated list shall be provided to the Authority on a monthly basis and the same shall be posted on the website of the Operator.
PROCEDUTE TO CONTROL UNSOLICITED CALLS
- 6. Standard Operating Procedure to Control Unsolicited Calls.—All Operators shall develop a standard operating procedure for controlling Unsolicited Calls which shall at a minimum the following:-
(a) Procedure for registration of Telemarketers and in case of failure to register, subsequent disconnection by the Operator with a prior notice of seven working days;
(b) Registration mechanism for the DNCR incorporate all registered Telemarketers;
(c) Procedure to provide timely, accurate and uninterrupted access to registered Telemarketers to the central DNCR maintained by the Operators.
(d) Provision for restriction on the access to information by Telemarketer with respect to subscribers, to the extent of the number and area code of the subscriber only.
(e) Provision for recording particulars of subscriber(s) in the DNCR who consent to receive calls made for the purpose of Telemarketing;
(f) Provision of an undertaking by each applicant for a new Telephone subscription verifying that the subscription is strictly for private use or for Telemarketing purposes;
(g) Verification procedure to be following by a Telemarketer through accessing the DNCR;
(h) procedure for restraining Telemarketers who initiate Unsolicited calls without giving an undertaking referred in sub-regulation (f) above;
(i) Subsequent action to be taken by Operators against the Telemarketers as referred to in sub-clause (h) if involved in sending unsolicited call more than 03 times consecutively, followed by disconnection of the Telephone subscription of the Telemarketer; and
(j) All Operators shall maintain an up-to-date black list of the Telemarketers alongwith their complete user antecedents whose subscription has been terminated on account of violation of the procedure provided for Telemarketer under these Regulations.
- 7. Establishment of a ‘Do Not call Register’ (DNCR).—
(1) All Operators for the purpose of controlling the reception of unsolicited calls shall establish a consolidated and central database of the DNCR.
(2) The Operators shall establish, maintain and operate the database of the DNCR at their own cost:
Provided that the DNCR shall be establish within ninety (90) working days from the notification of these Regulations, subject the fulfillment of all requirements given under these Regulations.
(3) The Operators shall establish a specific toll free number or special provision on the existing helpline for the purpose of registering the requests of Subscribers for not receiving unsolicited calls.
- 8. Registration and managing Tele-marketing by Operators.—(1) Operators, shall for the purpose of controlling Unsolicited calls, ensure registration of Telemarketers.
(2) All Operators shall ensure that the registration of all those Telemarketers who are in the business of Telemarketing on or before the promulgation of these Regulations within ninety (90) days of issuance of these regulations.
(3) All Operators shall ensure that the Subscribers are well informed regarding the option for their consent or otherwise for entering their particulars in the DNCR at the time of subscription.
- 9. Operation of the Do Not Call Register.—(1) All Operators shall within thirty days (30) the establishment of the DNCR set up procedures for registration of subscribers in the Do not call register.
(2) The DNCR must contain at a minimum the following particulars.
(a) Name, number and area code (where applicable) of a subscriber who does not want to receive Unsolicited calls;
(b) Date and time of making of request by the subscriber referred in clause (a) above;
(c) Name, number and area code(where applicable) of a subscriber who makes a request for not receiving the Unsolicited calls,;
(d) Date and time of making of request by the subscriber referred to in clause (c) above.
(3) All Operators shall update the Do not call register within two working days of the request received from a subscriber.
(4) The subscribers shall be entitled to revoke their request or options, as the case may be, after the expiry of minimum 30 days from the date of the request for registration in DNCR or other wise.
PROCEDURE TO CONTROL OBNOXIOUS COMMUNCCATION
- 10. Standard Operating Procedure to Control Obnoxious Communication.—(1) Subject to the approval of the Authority and the requirements given under Annex-C to these Regulations, all Operators shall set up a standard operating procedure to ensure that all possible technical solutions are available to the subscribers in a transparent and non-discriminatory manner to control Obnoxious Communication:
Provided that the procedure established under sub-regulations, (1) shall include at a minimum the requirements given at Annex-C to These Regulations.
(2) All technical Solutions provided under sub-regulation (1) shall be renewed and updated by Operators regularly on quarterly bases.
COMPLAINT HANDLING PROCEDURE
11. Complaint Handling Procedure, – – – (1) All Operators shall setup a round the clock complaint handling mechanic, for Subscribers in avoidance with Part IV of the Telecom consumers Protection regulations, 2009 within sixty (60) days of the notification of these Regulations.
(2) The operators shall acknowledge every complaint by a subscriber with a unique complaint number.
(3) The specified procedure to be followed by an Operator for handling of a complaint filed with respect to Fraudulent Communication shall be as follows:
(i) The SMS originator shall immediately but not later than 24 hours of receipt of complaint, be issued a warning.
(ii) In the event that as result of Fraudulent Communication, if a fraudulent balance transfer has resulted, the subscription of the SMS originator shall be terminated alongwith the IMEI member of the originating handset, immediately but not later than 24 hours of the receipt of the complaint.
(iii) The Operator shall take all reasonable steps to refund the amount to the complainant.
(4) The specified mechanism to handle complaints against Obnoxious Communication shall constitute the following measures to be adopted by all Operators:
(a) Recording of all telephone numbers including area code (where applicable) of a complainant;
(b) Telephone number and area code (where applicable) of the originator of the Obnoxious Communication;
(c) Issuance of warning immediately but not later than 24 hours of receipt of complaint and record the same in the grey list being maintained by the Operator;
(d) If the originator is repeatedly involved in Obnoxious Communication even after issuance of warning, the Operator shall terminate the outgoing communication of the Telephone subscription of the originator immediately but not later than 24 hours of the receipt of the complaint.
12. Public Education and Awareness, – – – All Operators shall launch a media campaign both in electronic and print media to educate subscribers and general public of the available preventive and subsequent complaint mechanisms for handling Spamming, Unsolicited, Fraudulent and Obnoxious Communication within (60) sexty days of the notification of these Regulations.
13. Reporting Requirements, – – – All Operator shall provide compete information regarding the particulars of subscribers, Telemarketers, Do not Call Register or any aspect of any provisions under these Regulations as and when required by the Authority.
(2) All Operators shall ensure that the preventing measures and procedures available under these Regulations are available to the subscribers and published in the Consumers Manual as specified under the Telecom Consumers Protection Regulations, 2009 within ninety (90) days of the notification of these Regulations.
14. Directions of the Authority, – – – All directives, stander operating procedures, orders and instructions issued by the Authority on or before the notification of these Regulations shall be binding and applicable on the Operators.
15. Confidentiality of Information, – – – Without prejudice to the provisions of any law for the time being in force, every Operator shall ensure the confidentiality of all information disclosed by the subscribers under the provisions of these Regulations.
(See Regulation 4)
MINIMUM REQUIREMENTS FOR ANTI-SPAM SOLUTIONS
1. An intelligent and robust anti-spam solution at each Operator’s end being regularly updated to cater for the changing spam content.
2. Anti-spam filter shall not be used for any anti competitive activity.
3. Anti-spam filter shall not violate consumer privacy.
4. Anti-spam filter on each Operator end shall not limit its filtering for on-net or off-net messages.
5. All businesses shall use short codes, registered with PTA for their marketing campaigns.
(See Regulation 5)
MINIMUM REQUIREMENTS FOR FRAUDULENT
1. PTA shall issue all the short codes on application received from either content or the Access provider.
2. Businesses: Operator shall ensure a disclaimer message in case any payments are solicited from SMS recipients.
3. Peer to Peer: A handshake between network and the user transferring the money shall occur before the transaction takes place.
This is to counter the incidences where a user receives a message which is apparently harmless but may end up in a default money transfer if ANY key is pressed. To circumvent such incidences the network should ask the transferor to verify each money transfer. The transferor shall have to reply the ‘Network’s Verification Query” by either typing “937” (yes) agreeing to the transfer or by replying “66” (No) in the body of the text for declining the transfer.
4. Balance Transfer (BT) Service: shall not be pre-activated,
Balance transfer service is mostly used by the people with enough knowledge about the Fraudulent Communication. Whereas the victims are those who cannot even read the message (Mostly in English). So if a user takes a connection as a source of voice connectivity then he could be saved from the data/advanced services related fronds by just making this service as optional for him/her. An option is that he/she activated by his own consent. Moreover before starting usage user must be provided a pamphlet educating him about the possible fraud situations.
5. Closed User Group:
(i) The credit transfer facility shall be limited to not more than TEN (10) users (much like friend and family package concept).
(ii) Limit must be fixed to maximum amount of money be transferred per transaction and the number of transactions during a predetermined period.
The limit may be different for different user based on their past usages and the geographic distances between the initiator and the beneficiary. This is because in case a user is out of town or on roaming then the balance transfer amount would be significantly higher than normal.
6. Any to Any transfer: Only to be allowed between parties whose antecedents have been verified in the last one year.
(A total amount of Rs. 50 can be SENT during a week for BT. The same amount can be RECEIVED during a week.
(See Regulation 10)
MINIMUM REQUIREMENTS FOR OBNOXIOUS
1. Lists of abusers should be maintained at each Operator’s end. Grey and Black lists should be prepared by each Operator and submitted to the Authority as and when required by the Authority. A user should be placed in appropriate category on the basis of its past, record. A Grey list entry should have access to limited services as compared to White list (meaning a list of all subscribers with clear record) entry (one that has full access to all permissible services) whereas connectivity for a Black list entry may be limited to only receive only and making an emergency call.
Note: Gray, Black lists to be defined based on the extent of violation.
2. Complaint handling involving proper verifications and subscriber IMEI number blocking procedures (where required) be extended based on involvement of Customer Service Representative (CSR).