Malaysia telcos federate GSMA Open Gateway Number Verification API to cut fraud

Malaysia’s five mobile operators will federate a GSMA Open Gateway API to give banks and online retailers a consistent, cross-network tool to fight account takeovers and digital identity theft.

Operators unify access to the CAMARA-based Number Verification API

CelcomDigi, Maxis, U Mobile, Telekom Malaysia, and YTL Communications plan to provide federated access to the GSMA Open Gateway Number Verification API, based on the CAMARA standard. The move, unveiled at the Digital Nation Summit in Kuala Lumpur, lets developers integrate once and reach all participating Malaysian networks while each operator retains control of data, policy, and monetization. The API verifies a user’s mobile number against real-time network attributes, offering a more secure, low-friction alternative to SMS one-time passwords.

Rising ASEAN fraud makes SMS OTPs risky; network verification reduces exploits

Fraud is accelerating across ASEAN, and SMS OTPs are increasingly vulnerable to phishing, malware, SIM swap, and social engineering. Network-anchored verification provides silent, possession-based authentication that reduces user friction and closes common OTP exploits. With GSMA citing participation from 79 operator groups across 291 networks covering nearly 80% of global mobile connections, enterprises can now plan at regional scale rather than stitching together one-off integrations.

How the federated GSMA Open Gateway operates

The federation model abstracts operator differences behind a common API and operational framework while preserving carrier-level control and compliance.

CAMARA-conformant REST API and one-time integration for all networks

The Number Verification API follows CAMARA specifications and Open Gateway operational practices, exposing a standardized, RESTful interface with common schemas and security patterns. A federated layer handles discovery, routing, and cross-operator interoperability, so developers can build once and reach all participating Malaysian networks. This approach reduces integration cost, speeds time to market, and simplifies maintenance as new operators join.

Operator-controlled consent, policy, and monetization within the federation

Each operator enforces its own consent, privacy, throttling, and fraud policies, and participates in monetization according to agreed commercial models. The federation provides cross-market coverage while allowing carriers to keep network data within their control planes and comply with local regulation. That balance—reach without centralizing sensitive data—is critical for trust, auditability, and long-term scalability.

Regional momentum and global Open Gateway alignment

The Malaysian federation aligns with broader Open Gateway momentum and emerging API exchanges across Asia.

Interoperability with Aduna and Bridge Alliance API exchanges

Regional initiatives such as Ericsson’s Aduna and the Bridge Alliance API Exchange (BAEx) are building multi-operator API ecosystems with consistent onboarding, security, and settlement. Maxis has already piloted federation with Singtel for Device Location and Number Verification, with AIS also participating via Singtel, and later partnered with Aduna to accelerate standardized API adoption in Malaysia. This positions Malaysian operators to interoperate beyond national borders as these exchanges mature.

ASEAN telcos converge on anti-fraud network APIs

Indonesia’s major operators recently aligned on a unified network API protocol focused on anti-fraud use cases. Combined with Malaysia’s move, ASEAN markets are converging on a common technical and commercial playbook for identity and risk signals. That creates a pathway for cross-border services, consistent developer experiences, and shared defenses against increasingly transnational fraud rings.

What this means for banks, fintechs, and e-commerce

Federated Number Verification opens near-term security gains and a roadmap to richer network signals that can harden digital onboarding and payments.

Silent auth, SIM checks, device binding, and risk scoring beyond OTP

Silent step-up authentication during login or high-risk transactions; SIM change checks before resetting credentials; device binding and session revalidation without SMS; and risk scoring that blends network trust with device and behavioral signals. Longer term, adjacent APIs—such as SIM Swap Detection, Device Location, and KYC Match—can enrich fraud models, reduce false positives, and streamline customer journeys in super apps, wallets, ride-hailing, and e-commerce.

Latency, coverage, fallback, and KPI design for production use

Target low-latency calls that do not add friction to checkout or login; aim for sub-second response times and design fallbacks for Wi-Fi-only sessions. Build for coverage variability, rate limits, and consent flows. Align API usage with your risk engine, MFA orchestration, and customer experience—trigger verification only where it improves security per unit of friction. Monitor success rates, match quality, latency, and fraud capture lift as core KPIs.

Key risks: privacy, accountability, and interoperability

Federation reduces fragmentation, but enterprises still need clear guardrails on privacy, accountability, and interoperability.

Privacy compliance, consent management, and liability boundaries

Network-derived verification must align with Malaysia’s privacy framework and sectoral guidance, with explicit purposes, user consent where required, and robust data minimization. Define liability boundaries for false matches, outages, or abuse. Enterprises should validate that vendors and carriers provide audit trails, security attestations, and clear incident response processes.

Standardized SLAs and schemas to prevent multi-exchange sprawl

Multiple exchanges are emerging, and enterprises will want consistent SLAs, schemas, and commercial terms across them. Adherence to CAMARA specs, harmonized onboarding, and standardized service-level metrics are essential to prevent a new wave of integration sprawl. Operators should ensure roaming and cross-border policy enforcement behave predictably for regional use cases.

Next steps for telcos and enterprises

Both telcos and enterprises can act now to turn this announcement into measurable risk reduction and better customer experiences.

Publish docs, SLAs, roadmaps; align consent and audit models

Publish clear technical docs, sandbox access, and pricing for the federated API. Commit to transparent SLAs, regional interoperability plans, and a roadmap that adds SIM Swap Detection, Device Location, and KYC Match. Provide reference architectures and SDKs for major languages and mobile platforms, and align consent and audit models across operators to simplify compliance.

Prioritize high-risk flows; test, negotiate SLAs, and design for portability

Prioritize high-risk flows—account recovery, new device login, and payment authorization—for early integration. Run A/B tests to quantify fraud reduction versus friction. Design for multi-federation portability using CAMARA-conformant abstractions and OAuth2-based security patterns. Negotiate SLAs tied to latency, availability, and match accuracy, and bake API health and drift monitoring into your observability stack. Look ahead to bundling multiple network APIs into a layered risk score for stronger, more seamless digital trust.