Security is often the first question businesses ask when exploring RCS messaging.

Unlike SMS, which sends messages in plain text, RCS provides encryption and verified sender protections that significantly improve message security. 

Still, many teams are unsure whether RCS matches the safety of fully end-to-end encrypted apps like WhatsApp, and whether it’s ready for sensitive use cases like banking, healthcare, or government services.

What is RCS and how is it different from SMS?

RCS (Rich Communication Services) was developed by the GSMA as a modern upgrade to SMS, bringing richer media, verified branding, and interactive features directly into the native messaging app on supported devices.

Quick recap of RCS

• Built for richer engagement: Supports read receipts, branded sender IDs, carousels, buttons, and rich media
• Native integration: Pre-installed on most Android devices via Google Messages or carrier apps, requiring no additional downloads
• Business-ready: Designed to handle both person-to-person (P2P) and application-to-person (A2P) messaging use cases

Is RCS encrypted? Yes, but it differs for P2P vs A2P

• P2P (Person-to-Person): When two users chat via Google Messages, RCS messages are end-to-end encrypted, meaning only the sender and receiver can read the content.
• A2P (Business Messaging): When brands send messages to customers, RCS uses TLS encryption in transit. This ensures messages are protected as they travel between the brand, Infobip, carriers, and the recipient’s device, but it’s not yet end-to-end encrypted.
• Google is actively working with telecom operators and the GSMA to extend end-to-end encryption to business messaging in future updates.

For non-RCS users, Infobip ensures message security with:

• TLS encryption on SMS where supported.
• Fallback to secure OTT channels like WhatsApp for sensitive or high-value communications.

Understanding RCS encryption

RCS brings significant security improvements over SMS, but encryption levels differ depending on whether it’s used for business messaging (A2P) or person-to-person (P2P) chats.

Encryption in transit vs. end-to-end

• Business (A2P) RCS: Messages are encrypted in transit as they move between the business sender, Infobip, Google’s RCS backend, the mobile network operator, and the recipient’s device. This TLS-based encryption prevents unauthorized access during delivery but does not encrypt messages all the way from sender to recipient device.
• Person-to-person (P2P) RCS: When two users chat via Google Messages on supported devices, the conversation can be fully end-to-end encrypted (E2EE), ensuring only the two participants can read the content.

Why A2P RCS is not fully E2EE yet

• Cloud routing: Business messages often need to route through cloud infrastructure to handle high volumes, cross-carrier delivery, and automatic fallback to SMS or WhatsApp for non-RCS users
• Verification and trust: RCS includes sender verification and message logging features to prevent spoofing and phishing. To support this, some message metadata must remain readable to authorized systems
• Analytics and compliance: Businesses need access to delivery receipts, read statuses, and interaction metrics. Full E2EE would currently block these features, so encryption in transit is used instead

Common security questions about RCS

Security is a top consideration for businesses adopting new messaging channels. Here’s what you need to know about RCS encryption, sender verification, and cross-platform safety.

Is RCS safe for financial or healthcare use?

Yes, when implemented through a certified provider like Infobip.

• Encryption in transit protects message content as it moves between the sender, carrier, and recipient.
• Verified senders ensure only authenticated businesses can send RCS messages.
• Infobip’s platform adheres to GDPR, local telecom regulations, and ISO-certified security standards.

Can messages be spoofed or intercepted?

• Spoofing: RCS uses branded and verified sender IDs. Businesses must pass carrier and/or Google validation before sending messages. A blue checkmark appears next to verified senders, helping customers trust the message origin and reducing spam risks.
• Interception: RCS messages are protected using TLS encryption in transit, preventing unauthorized access while the message travels across networks.

What about iOS support?

• With iOS 18, RCS is supported on both Android and iOS, improving interoperability and enabling rich messaging between devices.
• Where RCS isn’t fully supported, Infobip automatically falls back to SMS or WhatsApp, ensuring message delivery while maintaining appropriate encryption levels.

What about interoperability across devices?

• RCS is rapidly becoming a global standard for rich messaging on both Android and iOS platforms.
• Infobip automatically handles cross-device compatibility, fallback routing, and message formatting, so campaigns reach all users consistently.
• Looking ahead, Infobip will support the GSMA’s Messaging Layer Security (MLS) standard once it becomes available, enabling cross-platform end-to-end encryption for business messaging.

How Infobip keeps RCS messaging secure

Infobip provides enterprise-grade security for RCS business messaging, ensuring messages are delivered safely, verified for authenticity, and compliant with global regulations.

Industry examples and adoption

RCS is gaining traction across multiple regulated industries that require secure, compliant communication. Infobip enables these businesses to leverage RCS while ensuring fallback and encryption integrity.

Financial services

Financial institutions are adopting RCS for secure alerts and authentication flows:

• Send transaction notifications, fraud warnings, and payment reminders using verified RCS brand IDs.
• Use one-tap action buttons for card activation or secure login flows.
• Automatically fallback to encrypted WhatsApp or SMS OTPs for customers without RCS support, ensuring compliance and message continuity.

Healthcare and public services

Hospitals and public agencies use RCS for patient updates and public safety alerts:

• Send appointment reminders, vaccination notices, or health campaign updates via RCS rich cards.
• Manage opt-ins and consent flows to comply with HIPAA and GDPR regulations.
• In emergencies, Infobip’s secure SMS failover ensures critical updates reach every recipient instantly.

Retail and eCommerce

• Verified branded promotions and interactive product showcases
• Secure order confirmations and delivery tracking with RCS buttons and rich media
• Fallback to WhatsApp or SMS to maintain security and coverage across the entire customer base

FAQs: RCS encryption

Read more:

Basic CAPTCHA defenses break under modern bot pressure. In 2025, more businesses are replacing them with smarter, user-friendly, and more secure CAPTCHA alternatives. 

CAPTCHA, short for Completely Automated Public Turing test to tell Computers and Humans Apart, has long been used to stop bots. It requires user interaction to solve simple puzzles before they can submit forms, request OTPs, or view certain content. These tasks may include: 

• Selecting specific images (visual puzzles) 
• Solving math problems 
• Typing distorted text 
• Completing drag and drop actions 
• Listening to and solving audio CAPTCHAs 

These are some of the most common types of CAPTCHA. They help confirm that the user is human. 

But there’s a growing problem: bots have become smart enough to solve these tests faster than people. 

Because of AI, modern bots can now solve CAPTCHA challenges, including reCAPTCHA v3, faster than human users. And with services like 2Captcha or DeathByCaptcha, or open-source tools available on GitHub, bypassing CAPTCHA has become low-cost and automated. 

Even worse, CAPTCHA can harm your platform in several ways: 

It frustrates real users and slows conversions: CAPTCHAs often get in the way of legitimate users, especially on mobile. They slow down sign-ups and increase form abandonment. 

It limits access for some users: Tasks like image selection or distorted text can be difficult for users with visual impairments, making CAPTCHA less inclusive. 

It gives a false sense of security: Many businesses rely on CAPTCHA alone. But without additional safeguards, attackers can easily bypass it, making it a weak line of defense. 

While CAPTCHAs can block simple bots, they fall short as a mitigation tool against advanced ones. 

The evolving threat: Why businesses need CAPTCHA alternatives

Modern bots use AI and machine learning to mimic human behavior. Many bots can now automatically get past CAPTCHA. These fake visits, called artificially inflated traffic (AIT) or SMS pumping, waste your money and create serious security problems. 

Attackers can: 

• Trigger fake OTPs to exhaust SMS credits 
• Flood your system with signups or logins to scrape data 
• Exploit forms to launch phishing or spam campaigns 
• Launch DDoS-style overloads using seemingly human interactions 

That’s why it’s time to look into alternatives to CAPTCHA that protect users and platforms more effectively. 

Here are some of the most effective and accessible CAPTCHA alternatives businesses are now using: 

Behavioral analysis 

Instead of asking questions, this method observes how users behave by:

• Analyzing actions like mouse movements, typing rhythm, scrolling, and clicking.
• Distinguishing between bots and humans in real time
• Avoiding interruptions for human users
• Achieving high accuracy for detecting automated bot patterns
• Working invisibly behind the scenes, improving UX

This method collects information about your device and browser, like screen size and operating system, to create a unique ID for each visitor. Bots struggle to imitate these details consistently. 

• Passive and background-based 
• Highly effective on both web and mobile apps 
• It detects bots even when they change IP addresses 

A form includes an extra field that real users never see (because it’s hidden via CSS or JavaScript). Bots that auto-fill all fields will complete it, instantly flagging them as non-human. 

• Simple, effective, and easy to implement 
• No added steps for users 
• Best for basic spam protection 

This method works quietly in the background and triggers challenges only when it detects suspicious behavior. Google’s reCAPTCHA v3 is an example. 

• Less intrusive than image or text puzzles 
• Still vulnerable to bot evolution and captcha-solving services 
• Must be combined with additional layers for full protection 

Although CAPTCHA still helps with bot protection, it’s no longer the main solution. Businesses need smarter tools that adapt to behavior.

Other CAPTCHA alternatives rely on simple logic or passive behavior tracking. Infobip Signals uses real-time AI to detect and stop fraud, without asking users to do anything. 

Here’s how Infobip Signals helps you: 

1. Detects and blocks AIT automatically 

Infobip Signals automatically detects and filters out fraudulent OTP requests before they reach your system, preventing unnecessary SMS costs by blocking illegitimate traffic without any extra work on your part. 

2. Analyzes traffic patterns and IP addresses 

It uses advanced detection to assess whether traffic is real or fake, flagging suspicious behaviors, and device signatures. 

Instead of replacing CAPTCHA entirely, Infobip Signals strengthens it. Low-risk users avoid friction, while high-risk sessions receive extra checks. This makes it a key part of modern anti-fraud CAPTCHA solutions. 

4. Filters fake from genuine users 

Signals separates malicious bots from human users in milliseconds. That means better UX, fewer CAPTCHA challenges, and more reliable data. 

5. Protects from AIT, DDoS, and abuse 

Whether you’re facing AIT, DDoS attacks, or credential abuse, Signals adapts to block evolving threats. 

One-minute video about an intelligent solution that cuts costs by blocking AIT:

Traditional CAPTCHA (Visual/auditory puzzles) 

Pros:

• Easy to implement 

Cons:

• Bad for accessibility 
• Annoying for users 
• Weak against modern bots 

reCAPTCHA v3 (Invisible Google CAPTCHA)

Pros:

• Frictionless for users 
• Works well with behavioral data 

Cons:

• Still beatable by advanced bots 
• Can reduce site speed and privacy 

Behavioral analysis 

Pros:

• Strong detection of bots 
• Great user experience 
• Works well with other layers 

Cons:

• Requires good data management 

Device fingerprinting 

Pros:

• Works in background 
• Strong bot resistance 

Cons:

• Needs privacy compliance 
• Can be blocked by some browsers 
• Fingerprint collision problem 

Hidden field trap 

Pros:

• Simple to deploy 
• Effective for spam 

Cons:

• Not strong against smart bots 
• Can be bypassed by custom scripts 

Infobip Signals 

Pros:

• AI-driven, real-time fraud prevention 
• No user effort required 
• Best for AIT protection, SMS abuse, and OTP fraud 
• Easy to integrate with existing systems 

Cons:

• Bots hate it, but you’ll love it

Choosing the right alternative CAPTCHA for your platform 

The best CAPTCHA alternative depends on your specific needs. Consider the following: 

Focusing on user experience? Choose solutions that work in the background and avoid puzzles that frustrate users. 

Dealing with fake signups or SMS pumping? Use real-time detection tools that identify and stop misuse instantly. 

Are you experiencing financial loss due to AIT or malicious traffic? You’ll need automated systems that can block threats before they cause damage. 

Need your service to be usable by everyone? Use CAPTCHA alternatives that don’t rely on images, audio, or clicking. These are more inclusive for users with various limitations. 

In 2025, CAPTCHA on its own no longer provides adequate protection. The rise of automated bot attacks, AIT, and fraudulent signups demands more intelligent, user-friendly, and scalable defenses. 

Did you know that in France, businesses can’t send SMS messages on Sundays? And that in Malaysia, the message header must clarify that recipients won’t be charged for receiving it?

When sending SMS to customers, staying compliant is crucial, but it’s not straightforward. Each country and state may have its own laws, and mobile carriers add another layer of complexity. While achieving 100% compliance might seem impossible, the risks of non-compliance—blocked messages, reputational damage, lost business, and fines—are too significant to ignore.

To help you stay informed, we’ll start this guide by summarizing the most common aspects of A2P SMS compliance globally, and then move on to specific regions.

Please note: This content is provided for information purposes only and should not be relied on as legal or compliance advice.

A summary of global SMS rules

• Opt-in (and out): In most countries you can only send SMS messages to customers that have opted-in to receiving them. Beware that that the definition of ‘opt-in’ has matured and usually has to be explicit, usually through a sign-up form or by sending a keyword. Implied opt-in because a customer bought a product or service and forgot to uncheck a tick-box is no longer acceptable. Opt-out allows customers to stop receiving messages by following a simple process, such as replying ‘STOP’.”
• Sender ID: A Sender ID refers to the name of the sender in the recipient’s inbox. In some markets, you can use alphanumeric senders, meaning that you can send SMS messages using your own brand name rather than a number your customers don’t recognize. However, this option is not available everywhere, and you might need to pre-register your Sender ID due to rules that prevent duplication and SMS fraud.
• Message content: Most countries differentiate between transactional and marketing messages and apply different restrictions. A delivery notification or a weather alert would be classed as transactional, while any promotional or sales message would come under marketing. Even in regions where promotional SMS messages are allowed, there are usually additional restrictions on content related to gambling, drugs and alcohol, adult-themed products, and both political and religious topics.
• Message length: It is commonly accepted that 160 characters is the limit for SMS messages, but this can be less in some countries. It is up to individual carriers in each country whether to support truncation (concatenated messages). Be warned that some carriers will only send the first 160 characters, with the rest being discarded.
• Sending time: In many countries, you are only allowed to message customers between certain hours, such as 8am and 8pm, and sometimes not at all on certain days, for example on Sundays in France.
• ‘Do not contact’ registries: In many countries, consumers can opt out of receiving business communications by signing up to do-not-contact or do-not-disturb registries. If you ignore this, you run the risk of service suspensions or fines.

Next, we will provide you with a summary of the rules in each region. For information on specific countries please have a look at our SMS coverage and connectivity guide with details on just about every country in the world.

SMS regulations in the US

These are the most important elements of SMS compliance in the United States.

• Registration required: In the US all messaging programs must be registered. Unregistered traffic is not allowed. Businesses must register their messaging programs with mobile carriers to ensure compliance with legal and carrier-specific guidelines. This process includes providing information about the type of messages being sent and ensuring adherence to opt-in rules.
• Content restrictions: Certain types of content, such as gambling, drugs, alcohol, firearms, and adult content, are prohibited from being promoted. Promotion of some financial products, such as certain loans, debt relief, and credit repair, is also prohibited. Lead-generation campaigns that involve sharing collected information with third parties are also disallowed.
• Opt-in requirement: Both marketing and transactional messaging are allowed, but only to subscribers who have opted to receive them.
• Two-way messaging: All commercial text messages must be two-way, which enables customers to opt out of receiving further messages and obtain support by texting “HELP”.
• Multiple sender types: In the US businesses can use short codes or 10-digit long codes (10 DLCs).
• Legislation: The key legislation covering SMS messaging in the US is the Telephone Consumer Protection Act (TCPA). The Cellular Telecommunications Industry Association (CTIA), a trade group representing wireless carriers and others in the telecom industry, lays out additional guidelines for SMS marketing in its Short Code Monitoring Handbook. Also, each individual carrier network is privately owned and operated, and as such, they reserve the right to approve, reject, question, or disable any campaign on their network. Some carriers have their own individual Code of Conduct.
• The Federal Communications Commission (FCC) plays an active role in regulating SMS in the United States and reports directly to Congress. The FCC adopts rules and regulations to address issues related to SMS, such as requiring providers to maintain a point of contact for reporting erroneously blocked texts and proposing measures to extend the National Do-Not-Call Registry’s protections to text messages. The FCC also enforces compliance with these regulations to ensure that consumers are protected from fraudulent and unwanted text messages.

SMS compliance checklist for the US

Before diving into the specific steps, it’s crucial to understand the distinction between legal requirements and carrier guidelines in the United States.

• The TCPA sets the legal framework, prohibiting the sending of unsolicited text messages (SMS) to consumers without their consent. Non-compliance can lead to hefty class-action lawsuits and fines of up to $1500 per text.
• CTIA guidelines are carrier-specific rules that further protect consumers. Adhering to them is essential to avoid fines, maintain a positive reputation and ensure uninterrupted sending capabilities.

With that explained, here are the steps you need to take to keep your SMS program compliant in the US:

Additional information about SMS compliance in the US

The following is a summary of a 45-minute live session we at Infobip organized for marketing platforms and agencies on the topic of SMS and MMS compliance. A panel of mobile messaging experts answered the questions.

1. Shared short codes no longer allowed

Shared short codes are no longer permitted in the US. Each brand must have a dedicated short code. If another customer wants to use your messaging services, obtain a new source (dedicated short code, 10DLC, or text-enabled toll-free number) for their messaging.

Even if your front-end customer is the sole user of a short code, it may still be considered shared if they share it with other brands or clients. All messaging on a short code must be controlled by a single entity and dedicated to a specific brand.

2. Why we insist on CTA compliance

The CTIA (Cellular Telecommunications Industry Association) established CTA guidelines agreed upon by all mobile carriers. Specific elements within a CTA ensure best practices and transparency and inform subscribers about what they’re signing up for.

To get your campaign approved as Infobip’s customer, including all necessary elements in your CTA is crucial. We adhere to contractual agreements with mobile carriers, ensuring compliance with their code of conduct.

3. Third-party data sharing is strictly prohibited

Lead generation and affiliate marketing campaigns are prohibited as they involve third-party data sharing and can lead to spam. This also applies to customer requests to use 10DLC numbers for collecting opt-in and forwarding to lead generation agencies.

4. Requirements for specific use cases

Donation campaigns: These have additional requirements and must conform to the CTIA Messaging Principles and Best Practices.

Abandoned cart reminders: Carriers have specific requirements for abandoned cart reminders to protect consumers. You must ensure the program name explicitly states that customers are signing up for cart reminders (not just generic marketing alerts). Also, keep in mind:

• Cart reminders need to be mentioned in your T&C.
• Program name, description, T&C, and cart reminders should align.
• You should use a double opt-in process for added security.
• You should explain how information is captured (e.g. via cookies or webhooks) in the privacy policy.

Missing information may lead to campaign rejection.

Fraud alerts: There is a TCPA exception for fraud alerts with an implied opt-in, but you must remember that approval is at the carrier’s discretion and that there are additional requirements.

CBD messaging: CBD is not federally legal. Any messaging must meet federal laws. Just because many states have legalized cannabis, it is not legal at the federal level, so the carrier networks have disallowed this messaging content.

You can find more info about messaging use cases in the US here.

5. TCPA compliance does not guarantee approval

TCPA requirements are the bare minimum requirement. Programs must also meet CTIA and carrier guidelines and ultimately the carriers are privately owned and operated networks and can approve/deny any program.

6. Why stop menus are no longer used

Stop menus are only necessary when a short code is being shared but shared short codes are no longer permitted. If a customer requests to opt-out of a short code program, then they must be completely removed from receiving messages from the short code. No further message can be sent unless another opt-in occurs. This includes short codes with multiple use cases for the same brand.

SMS regulations in Europe

There are 27 countries in the European Union and a further 3 countries in the European Economic Area (EEA) that are also covered by European rules that apply to privacy and electronic communication (Norway, Lichtenstein, and Iceland).

GDPR is the mostly widely recognized Europe-wide legislation, but there are others like the E-privacy Directive. The GDPR protects consumer data privacy, requiring explicit consent for data use, while the E-privacy Directive focuses specifically on electronic communications, including SMS, ensuring messages are sent legally and ethically.

There are also specific regulations in individual countries. For example, some EU countries allow one-way commercial SMS messages to be sent, and others do not.

On the whole however, SMS regulations in Europe are some of the tightest and strictly enforced in the world, especially when it comes to opt-in and crucially opt-out.

• Consumers must explicitly opt-in to receive marketing communication – it must be clear and unambiguous, and all the information required for them to understand what they are signing up for must be easily available, for example via a link to the company’s privacy policy.
• All marketing messages sent from a business, including SMS, must include a simple and free method of opting out, for example replying with the text STOP. Removing consent has to be as easy as granting it in the first place.

GDPR is definitely not toothless legislation. Just ask British Airways who were fined £20 million after the personal data of over 400,000 customers was stolen by hackers. Hotel chain Marriott International took an even bigger hit of nearly £100 million when it had to pay compensation to millions of people whose private data was stolen from the organization.

While fines for not complying with SMS regulations are nowhere as high, they are still significant enough that businesses have to be very careful to not break any rules.

SMS regulations in APAC (Asia-Pacific)

The Asia-Pacific region is the largest SMS market in the world. In the list of countries with the most active mobile phone users, the top three spots are occupied by APAC nations: China, India, and Indonesia. Have a more detailed look into the regulations for the most significant APAC markets below:

China

In China, the following types of marketing/promotional messages are strictly prohibited: real estate, stocks, loans, investment banking, education, immigration, politics, adult supplies, pornography, violence, gambling, and other illegal information.

Business SMS messaging is restricted to long codes, which are are standard phone numbers used for business messaging, offering a recognizable format for recipients and ensuring compliance with local regulations.

To send SMS messages, businesses need to register message templates and a business license, along with company details:

• Official website
• Company (entity) name
• Type of traffic
• Message content
• Sender name and signature

Learn more about SMS registration and guidelines for China here.

India

To send commercial SMS in India, businesses must register with telecom authorities or service providers using Distributed Ledger Technology (DLT).

DLT uses blockchain technology to stop unsolicited communication. In short, it synchronizes mobile subscriber data who opted for Do Not Disturb (DND) services with all Mobile Network Operators (MNOs). It is used keep a record of every SMS sent, specifying the business sending the SMS, the actual sender name displayed, the main content of the SMS, and the nature of the consent that the SMS recipient has agreed to.

When registering on a DLT platform, you will need to provide the business’s name along with the templates (messages that will be sent), headers (Sender IDs), and consent templates.

Clickable links in SMS messages

There have been recent updates regarding clickable links in SMS messages in India.

Under the new regulations, any clickable links in SMS messages, such as URLs, short links, or CTAs (Call-to-Action links), must now be whitelisted on the DLT (Distributed Ledger Technology) platform.

If a message contains a link that has not been whitelisted, it will fail the DLT scrubbing process and will not be delivered to the recipient.

Example: If your SMS includes a link like: https://www.xyz.com/, you must whitelist it in advance on the DLT platform. Without this, the message will not pass regulatory checks and will fail delivery.

Content restrictions

• Window for sending promotional messages: between 10 AM and 9 PM.
• Gambling and cryptocurrency messages are forbidden.

You can learn more about the process of registering an SMS sender in India here.

Indonesia

These are the most important aspects of SMS compliance in Indonesia:

• Gambling, religious, adult, and racial content is prohibited.
• It is mandatory to register a sender with Indonesian network operators.
• To register a sender, you must provide a Letter of Authorization (LOA).
• Different requirements apply for local and international senders.
• Sender name should not exceed 11 characters (including spaces and punctuation).
• You can only register one sender ID per company. For multiple IDs, you need to provide a statement.
• Only alphanumeric sender IDs are allowed. You must use brand-related sender IDs; generic senders are not allowed.

You can learn more about SMS guidelines for Indonesia here.

Australia

No adult, religious, or political content is allowed when sending SMS to customers in Australia. There are certain restrictions regarding gambling:

• Anyone providing a regulated interactive gambling service in Australia must hold a license under Australian State or Territory laws.
• Gambling promotional messaging is strictly prohibited for new users unless the user specifically opts in with the gambling company before the actual SMS termination.
• Inducing new or existing users to gamble is prohibited in the message content.
• Opt-in/opt-out is required for all promotional or transactional gambling messages.
• Online sports betting is legal through licensed operators, with numerous additional restrictions.

You can use an alphanumeric sender ID, a virtual long number, or a short code. To register as a business sender, you must provide a Letter of Authorization (LOA). You can learn more about SMS guidelines for Australia here.

SMS regulations in MENA (Middle East & Northern Africa)

Our latest Messaging Trends report shows an increasing demand for SMS and CPaaS solutions due to a wider adoption of CRM systems across industries, investments in customer experience, and growing cybersecurity demands.

Here is an overview of SMS regulations in some of the largest markets in MENA.

Saudi Arabia

Saudi Arabia is a highly regulated country in terms of SMS. Here are the most important aspects to consider:

• A2P SMS traffic is categorized into local and international traffic (by origin), and transactional and promotional (by type).
• Your company must have a local presence and provide relevant documentation for local SMS termination.
• Alphanumeric senders are allowed.
• Gambling, betting, Spam, loan traffic, crypto, Forex, and adult content are likely to be blocked by Saudi Arabian operators.
• URL shorteners (e.g., bit.ly, goo.gl) are strictly forbidden. Other URLs in message content need to be safelisted beforehand.
• Promotional traffic can only be sent between 8 AM and 10 PM local KSA time zone.
• When sending promotional traffic, companies should add a suffix “-AD” to the sender name.

Morocco

In Morocco, A2P SMS traffic is categorized into local and international (by origin), and sender registration is mandatory for both types, with proper documentation.

Sender IDs must adhere to the following rules:

• Maximum length: 11 characters
• Generic senders, special characters, spaces, and numbers are not allowed

Two-way messaging is available for local traffic only, meaning that recipients can only respond to messages sent by businesses located within Morocco.

Promotional (marketing) traffic is allowed only between 10 AM and 8 PM local time. This corresponds to 9:00 to 19:00 UTC.

There are no specific content restrictions.

Algeria

In Algeria, you can use a dynamic alphanumeric sender. However, numeric senders might get blocked on some networks. Two-way SMS is currently unavailable.

These are the only restrictions for A2P messaging:

• Gambling traffic is forbidden.
• Traffic with illegal, adult, religious, and political content is prohibited and will be blocked.

SMS regulations in LATAM (Latin America)

Here is a summary of the most important aspects of SMS compliance in the some of the biggest LATAM markets:

Brazil

• Dedicated and shared short codes allowed: Short codes are commonly used for SMS communication in Brazil. Both dedicated and shared short codes are allowed, but it’s crucial to comply with local regulations and obtain the necessary approvals.
• Alphanumeric sender IDs allowed only for local customers: Alphanumeric sender IDs are only allowed for local companies that have a local presence in Brazil. When using alphanumeric sender IDs, we advise our customers to consult with their dedicated Account Manager, who can provide guidance on the specific requirements and restrictions.
• Virtual Long Numbers are not allowed: Virtual Long Numbers (VLNs) are prohibited for SMS messaging in Brazil. If you plan to use long numbers, ensure they are physical and comply with local regulations.
• Messages with bank and MNO names need authorization: Messages containing references to banks or mobile network operators (MNOs) must be authorized by the respective companies. Unauthorized use of their names may lead to compliance issues.
• Political and gambling content not allowed: SMS messages related to political campaigns or gambling activities are prohibited.
• Marketing messages require opt-in: You need to obtain explicit opt-in consent before sending marketing messages.
• Opt-out (unsubscribe) is mandatory: You need to include an opt-out option in your SMS messages, allowing recipients to unsubscribe easily.
• DND (Do Not Disturb) registry available: A DND registry is available in Brazil. However, end-users must explicitly request it. You must respect their preferences and avoid sending messages during restricted hours.
• Messaging time windows: Messages can be sent between 8 AM and 8 PM on workdays (Monday to Friday), and from 8 AM to 2 PM on Saturdays. No SMS messages are allowed on Sundays.
• Keywords recommended for MO (Mobile Originated) messages: When setting up MO messages, use specific keywords to ensure that the right customer receives the message. Generic keywords may lead to misdirected messages.

Colombia

• Short codes allowed (shared or dedicated): Short Codes (shared or dedicated) are allowed for sending SMS notifications (transactional, marketing, debt collectors, etc.).
• Virtual Long Numbers not allowed: Virtual Long Numbers (VLNs) are prohibited for SMS messaging in Colombia.
• Opt-in required: You need to collect explicit opt-ins from end users before sending any messages.
• Restrictions for debt collectors and marketing content: The CRC (Telecommunications Regulator) imposes restrictions on debt collectors and marketing content. These types of messages are allowed only between 8:00 AM and 9:00 PM.
• Restrictions for political content: You must have opt-ins to send political content. Every political message must contain a Spanish version of the text “paid political ad.”
• NLI not supported: NLI (Non-Latin Identifiers) are not supported.
• Short codes must be active: If short codes are not being used, the regulator may remove them. Ensure that your short codes remain active and relevant.

How to ensure SMS compliance globally

To summarize, there are some best practices that are common across most global regions that you should follow to ensure SMS compliance:

• Obtain clear consent: Always get explicit consent from customers before sending text messages.
• Send appropriate content: Check and respect the legal restrictions in the country regarding message content.
• Respect time windows: Send texts at appropriate times and avoid spamming.
• Register your sender: Use a verified business sender for messaging, according to country-specific regulations.
• Ensure an opt-out mechanism: Provide an easy way for subscribers to opt out of receiving further messages.

Maintaining SMS compliance across countries can pose quite a challenge. There is little doubt that to succeed, you will need the help of an experienced and proven enterprise SMS provider.

We would love to help. We have years of hard-won experience in international SMS delivery and compliance capability is actually built into our platform. And we certainly know our rules – we have staff on the ground on every continent keeping on top of local legislation and maintaining relationships with the biggest network of providers of any SMS supplier.

The end result? Our customers remain compliant in every territory and get the best possible delivery rates.