Critical KYC Obligations for Pacific Island Telcos: Compliance, Security, and Future Trends

By Damian Kelly

Telecommunications regulators across the Pacific are increasingly interested in imposing know your customer (KYC) obligations on licensed telecommunications providers. The most recent example of this is in Solomon Islands, where the Telecommunications Commission of Solomon Islands introduced requirements for telcos to collect, store and provide to the regulator information regarding its SIM card customers under the Telecommunications (Subscriber Registration) Directives 2023. You can read more about the Solomon Islands reforms and the SIM registration programme being conducted until 29 November 2024 here.

KYC obligations in the telco sector are an important step toward preventing organised crime, fraud and prevent the prevalence of cybercrime. However, telcos must balance their obligations to collect confidential information about their customers with obligations to protect their customer’s personal data. This article sets out the basics on collecting customer data in the telco sector and what protections customers have from the disclosure of that information in PNG, Fiji and Vanuatu.

Why is there a need for KYC in the telco sector?

KYC obligations are vital for preventing organized crime, fraud, and cybercrime. However, telcos must balance the need to collect sensitive customer data with their duty to protect this information. Here’s a breakdown of why KYC is essential in the telecom sector:

(Security and Fraud Prevention) Identifying customers is an important way to limit SIM card fraud, terrorism financing, drug trafficking and other organised crime. It also creates a paper trail so that telecommunications regulators can work with law enforcement to track down criminal enterprises.
(Regulatory Compliance) Creating clear regulations for the collection, storage and use of customer data ensures that there is consistency in the way in which confidential information used and protected. This also ensures that data can be used by law enforcement agencies by aligning telco KYC regulations with anti-money laundering and counter-terrorism financing legislation.
(Consumer Protection) Proper KYC procedures are required to better protect customers from cybercrime such as preventing SIM swapping and identity theft. Collecting customer data can also enable telcos to block unsolicited communications such as spam and scams.
(National Security) The information collected by telcos can also be used by government agencies in public emergencies or for the benefit of securing the state. For example, the information can be used to monitor potential threats to national security, or enable government agencies to contact person affected by a crisis. The latter is obviously of particular interest to Pacific island governments where natural disasters are frequent and have devasting impacts on local populations.

General Obligations

In addition to the Solomon Islands, other Pacific Island nations like Papua New Guinea (PNG) and Vanuatu have their own KYC requirements. While requirements vary, telcos in PNG and Vanuatu are generally required to collect the following information from SIM card subscribers:

the SIM card number;
the name of the customer;
the customer’s gender and age;
the customer’s passport number or other identification card number; and
the customer’s residential address and phone number.[1]

If the customer is a company, the company’s details must be provided alongside the details of an authorised representative. Currently, Fiji does not have similar requirements for SIM card subscriber information.

However, there are limits to the power for telcos to collect personal data. For example, in Vanuatu telcos can only collect personal information that is necessary to supply services to the end user.[2]

Balancing KYC and confidentiality obligations

Telcos must carefully balance the collection of personal data with the obligation to protect customer privacy. Under common law, telcos owe a duty to keep customer information confidential. Whether information constitutes confidential information will be dependent on the type of information collected, however best practice is to treat all personal data as confidential information that should not be disclosed unless required by law.

Statute has clarified the obligations of telcos to protect privacy. In Vanuatu service provider must not, without the consent of the end user, divulge any personal end user information to any other person who is not an agent or employee of the service provider, unless required by law or authorised by warrant or by the telecommunications regulator.[3] In Papua New Guinea, telcos are required to protect their retail customer’s privacy, and in particular protect their personal information, and protect them from intrusive use of telecommunications and the recording of their conversations.[4] In Fiji, service providers must keep information about customer confidential including bill and call information.[5]

The future of KYC obligations

The Pacific region is moving towards stricter KYC requirements, along with the development of statutory rights regarding data privacy. For example, operators in Fiji can learn from other jurisdictions where SIM card subscriber information is already regulated, preparing them for potential future reforms.

Telecom providers should also anticipate more digitized procedures for data collection and storage, in line with international standards like those of the Financial Action Task Force (FATF). Additionally, clear statutory rights for customers concerning data privacy may emerge, potentially modeled after frameworks like Australia’s Privacy Principles or the EU’s General Data Protection Regulation (GDPR).

Since KYC obligations vary by jurisdiction, it’s essential for telecom providers to understand the specific requirements in each market. For detailed guidance on telecommunications obligations and customer rights, contact our team of telco law specialists.