The OSP Framework gets a Progressive Overhaul

The Department of Telecommunications (DoT) has published the Guidelines for Other Service Providers (OSP) implementing a significant overhaul of the existing telecom framework for Business Process Outsourcing (BPO) entities in India.

The OSP framework was originally put in place to ensure that the special dispensations provided to the then nascent BPO sector had adequate safeguards. These safeguards were designed to ensure that OSPs did not impinge into the jurisdiction of Telecom Service Providers (TSP) as well as to address associated security concerns. Over time, thanks to the increased availability (and the decreasing cost) of telecom connectivity, as well as the convergence of voice and data technologies, these regulations were no longer relevant. To the contrary, they imposed a significant compliance burden on the IT and ITeS industries which were made even more challenging given the vague language with which the framework had been drafted.

The DoT has radically pared the framework down to restrict its applicability and to remove a number of the procedural compliances. These include:

• the applicability of the framework to non-voice based BPO activities;
• the registration requirement for all OSP entities;
• penalty and audit provisions;
• requirements to furnish a bank guarantee;
• content monitoring;
• most restrictions on sharing of infrastructure; and
• location and network specific requirements like the need to provide a network diagram.

In effect, the framework now primarily contains certain security obligations with additional high-level protections to prevent toll bypass. The definition of the term OSP has been limited to only voice based BPO service providers removing data-based services entirely from the ambit of the regulation. The new framework permits (i) the sharing of infrastructure between international and domestic OSPs over VPNs, (ii) the interconnectivity of OSPs, (iii) the use of closed user groups for internal communications, (iv) the facility of work from home/work from anywhere, and (v) the use of distributed EPABXs, without any limitations or registration/intimation requirements. All that OSPs are required to do is ensure that there is no toll bypass.

International OSPs may host their EPABX abroad, provided they have a copy of their call data records (CDR) and system logs stored at any of their centres in India. Domestic OSPs on the other hand are required to retain their EPABX and client data centre only in India. As far as security related obligations are concerned, the new framework requires OSPs to maintain CDRs, system logs, access log, configurations of the EPABX, and routing tables, for a period of one year. Remote access is required to be provided to the authority to view the CDRs along with details of the agent manning the position. In case of specific instances of unlawful content (such as content that infringes intellectual property), the OSP is required to extend support to the authority in tracing any malicious calls, messages or communications carried on its network.

Download PDF to read more