Dutch Telcos Align on GSMA Open Gateway to Fight Online Fraud

A coordinated launch in the Netherlands brings standardized, network-powered security APIs to market at national scale.

Coordinated CAMARA Security API Launch

KPN, Odido, and Vodafone Netherlands have jointly introduced a set of security services based on CAMARA, the open-source API framework hosted by the Linux Foundation and aligned with the GSMA Open Gateway program. Working with the Dutch COIN association, the operators are exposing harmonized, privacy-aware network signals that enterprises can use to strengthen authentication and reduce online fraud.

KPN, Odido, Vodafone: Standardized APIs for Scalable Integration

The move aligns the three major Dutch mobile networks behind a common API model and governance approach, lowering integration friction for banks, e-commerce platforms, fintechs, and CPaaS providers. Because these services adhere to GSMA Open Gateway specifications, developers can build once and scale across operators domestically and, increasingly, internationally as more markets light up similar capabilities.

Rising Dutch Fraud Losses and Mobile Network Countermeasures

Consumer scams and account takeovers continue to rise, with recent local studies indicating a meaningful portion of Dutch citizens experienced fraud last year, resulting in losses measuring in the billions of euros. Mobile network intelligence—when standardized and responsibly exposed—offers a new control layer to counter social engineering, credential stuffing, and bot-driven abuse without adding undue user friction.

How CAMARA and GSMA Open Gateway Standardize Telco APIs

The initiative turns telco network attributes into consumable, standardized APIs that application teams can call in real time.

CAMARA Technical Overview: Open, Operator-Agnostic APIs

CAMARA defines open, operator-agnostic APIs, data models, and security patterns (e.g., OAuth 2.0, scoped consent) so developers see consistent behavior regardless of carrier. It is open-source under the Linux Foundation, allowing rapid iteration and shared test suites while enabling local policy compliance by each operator.

GSMA Open Gateway: Global Exposure, Onboarding, and SLAs

Open Gateway aligns operators on common exposure, onboarding, and SLA expectations so that a single integration can reach many networks. The program has backing from dozens of operator groups worldwide, representing hundreds of networks and the vast majority of global mobile connections, giving enterprises a credible path to cross-border scale.

Available Netherlands APIs: Number Verification and KYC Match

The Dutch launch prioritizes identity-centric use cases. Number Verification allows apps to confirm that a user’s device and mobile number match the current session—often silently in the background—reducing one-time password SMS dependency. KYC Match lets a relying party validate that subscriber attributes provided by a user align with operator-held records, supporting step-up verification during high-risk events like new payee addition, device binding, or high-value checkout.

Developer Integration, Risk Policies, and Observability

Enterprises can access these APIs directly from operators or via CPaaS and identity providers that aggregate multiple carriers. Typical flows use risk-based policies: call Number Verification at login to cut friction; invoke KYC Match during anomalous behavior or payment initiation. Observability, rate limits, consent auditing, and data minimization are integral to production deployments.

Business Value for Banks, Ecommerce, CPaaS, and Operators

Network-derived signals shift fraud prevention left, improving conversion while tightening controls on high-risk events.

Financial Services: SCA, Fraud Reduction, and Cost Savings

Banks and PSPs can supplement PSD2/RTS strong customer authentication with passive checks, reducing step-up challenges and SMS costs while improving fraud capture on mule accounts and social-engineering attacks. Expect measurable lifts in login success rates and reduced chargeback exposure when network verification gates risky actions.

Ecommerce and Marketplaces: Account Integrity and Payout KYC

Merchants can use Number Verification to fight account sharing and bot sign-ups, then apply KYC Match during payout onboarding or address changes. This helps compress manual review queues and lowers abandonment compared to heavy-handed document checks.

CPaaS and CIAM: Embedded Telco Signals for Fraud Control

Providers that already orchestrate SMS, voice, and MFA can embed CAMARA-based checks as policy-driven steps, offering customers unified fraud controls across operators. This is a natural upsell to existing communications or CIAM contracts and a route to premium, outcome-based pricing.

Telco Monetization, SLAs, and Outcome-Based KPIs

For telcos, these APIs create a replicable security product line tied to measurable outcomes. Track adoption by active applications, verified sessions, fraud prevented per 1,000 transactions, latency percentiles, and cross-operator success rate consistency. Clear commercial models—per-call pricing or tiered bundles with SLA differentiation—will accelerate enterprise uptake.

Privacy, Reliability, and Threat Evasion Risks

Execution quality and trust will determine whether standardized telco APIs become a durable part of the fraud stack.

Consent Management, Data Minimization, and Audit

Operators and integrators must enforce explicit user consent where required, keep payloads lean, and provide audit trails. Transparent disclosures and aligned retention policies are essential to meet EU privacy expectations and maintain consumer trust.

Cross-Operator Consistency, SLAs, and Failover Design

Standard APIs still need harmonized error codes, uptime targets, and predictable throttling across carriers. Enterprises should design for graceful degradation, multi-operator routing, and real-time health checks to avoid login friction when an endpoint is impaired.

Adversarial Tactics, Signal Quality, and False Positives

Fraudsters will probe for gaps such as device farms, SIM swapping, or call forwarding. Combining network signals with device fingerprinting, behavioral analytics, and velocity controls yields stronger detection. Continuous tuning is required to minimize false positives in edge cases like multi-SIM or corporate devices.

Roadmap, Regulation, and Federation

Momentum depends on breadth of APIs, cross-market availability, and alignment with evolving EU digital identity and security rules.

Next APIs: SIM Swap, Location, and Spam Mitigation

Expect expansions into SIM Swap indicators, device location for transaction risk scoring, and spam/robocall mitigation—creating a layered defense spanning account creation through transaction confirmation.

Regulatory Fit: PSD3, NIS2, and eIDAS 2.0

Monitor how these services map to PSD3, NIS2, and eIDAS 2.0 wallet frameworks, as well as bank-grade audit requirements. Clear regulatory positioning will speed procurement and risk approvals.

Cross-Border Federation, Onboarding, and Billing

Growth will hinge on common onboarding, unified billing, and cross-border federation so enterprises can contract once and operate in many countries. Partnerships among operators, COIN, GSMA, and CPaaS aggregators will be pivotal.

Enterprise Actions: Pilot, Integrate, Measure, and PIA

Pilot Number Verification on login to cut OTP friction; add KYC Match for high-risk events; integrate via an aggregator to simplify multi-operator reach; instrument KPIs for conversion, fraud rate, and user sentiment; and build privacy impact assessments up front to speed security and legal reviews.