A single non-compliant SMS sent to a DND-registered number, or a commercial message sent without a valid nationally registered template and sender ID, is a regulatory event — not a campaign metric failure. The ePrivacy Directive (Article 13) and national SMS marketing rules govern every promotional and transactional SMS a bank sends to a borrower. Violations produce regulatory complaints, national regulator enforcement notices, and in aggregate, the kind of Ombudsman and telecom regulator attention that no institution wants. The Email & SMS Campaign Agent AI runs a compliance gate on every outgoing message — not as a post-campaign audit, but as a real-time pre-send check that prevents non-compliant messages from being sent at all.
The ePrivacy regulatory framework: what it governs and what it requires
The ePrivacy Directive (Article 13) and national telecom authority frameworks require that every commercial SMS sent in the EU meets four conditions simultaneously. First, the sending entity must be registered with the applicable national telecom authority (e.g. Bundesnetzagentur, ARCEP, or Ofcom) for its sender IDs. Second, every message template must be pre-approved under national rules — unregistered templates cannot be sent and will be blocked by operators. Third, the sender ID must match the registered entity and message category (transactional or promotional). Fourth, promotional messages may not be sent without valid GDPR consent and must honour marketing opt-out registries in each member state.
Transactional messages — messages that are sent in response to a specific customer action or that contain legally required disclosures — are exempt from DND restrictions and can be sent to all recipients. But the classification of a message as transactional or promotional is regulated, not self-declared. A message that includes an offer or a CTA to a product the borrower did not initiate is promotional, regardless of how the institution labels it internally.
"A message that the institution labels 'transactional' but that contains a promotional offer is a promotional message under ePrivacy regulation — and will be treated as one by carriers and regulators."
The pre-send compliance gate: 12 checks on every message
ePrivacy Compliance Gate — Pre-Send Audit · T11 (SEPA Direct Debit Bounce) · Shanthi Devi · Nov 5, 2025
12 compliance checks · All pass required · Message type: Transactional · Sender ID: IBFINC
12Checks total
12Passed
0Failed
ClearedSend approved
Group 1 — Sender and entity registration (checks 1–3)
✅Check 1: Sender entity registered on national telecom authority registration platformEntity ID: FIN-2021-XXXXXXXXXX · Active registration · No pending compliance actions · Verified against national registry Nov 5, 2025 ✓
✅Check 2: Sender ID (header) authority-registered and matches message categorySender ID "IBFINC" is registered as Transactional-Financial · T11 is classified Transactional · Header-category match confirmed ✓
✅Check 3: Message template pre-approved — template ID matchedTemplate ID: TXN-SEPA Direct Debit-BOUNCE-001 · Pre-approved · Variables: [Name], [Amount], [SEPA Instant / open banking-link] · Template match verified · Operator will not block ✓
Group 2 — Recipient consent and DND status (checks 4–7)
✅Check 4: DND status verified for this mobile number (NCPR lookup)Shanthi Devi · +91-9XXXXXXXXXX · NCPR status: Not registered in DND · No preference restrictions applicable for Transactional category ✓
✅Check 5: GDPR consent recorded — borrower has consented to transactional communicationsConsent record ID: CST-2024-XXXX · Scope: Transactional (loan account notifications) · Date: Aug 2024 (at loan origination) · Not expired · GDPR-compliant ✓
✅Check 6: Promotional consent verified if message category is promotionalT11 is Transactional — promotional consent check not required · If message were promotional: borrower has SC category opt-in on NCPR ✓ (noted for cross-sell sends)
✅Check 7: Opt-out history checked — has borrower previously unsubscribed from this message categoryNo unsubscribe record for Transactional category · If unsubscribed: Transactional messages are not suppressible under ePrivacy rules (they are legally required communications) · Noted ✓
Group 3 — Message content classification (checks 8–10)
✅Check 8: Message content matches declared category (Transactional vs Promotional)Content scan: message contains bounce notification, instalment amount, retry schedule, SEPA Instant link for same loan. No new product offer. No rate quote for new product. Classification: Transactional confirmed ✓
✅Check 9: Message does not contain prohibited content (ePrivacy rules and ECB / EBA FPC)Content scan: no threatening language · No third-party contact instruction · No inaccurate legal representation · No collection outside permitted context · FPC-clean ✓
✅Check 10: Message length within channel limits (SMS: 160 chars per segment)Message length: 148 characters (within single-segment limit) · No multi-part SMS required · Operator delivery probability: high ✓
Group 4 — Timing and frequency compliance (checks 11–12)
✅Check 11: Send time within permitted hours — ePrivacy / national rules: no promotional SMS before 9 AM or after 9 PMSend time: 14:36 (2:36 PM) · Within 09:00–21:00 window · Transactional messages have no time restriction but good practice applied ✓
✅Check 12: Message frequency within policy — no more than 3 promotional messages per borrower per day across all campaignsShanthi Devi promotional messages today: 0 · Transactional messages today: 1 (this will be 2) · No frequency cap breach · Message cleared ✓
The consent management workflow: from loan origination to every subsequent message
Loan origination · Consent collection
Explicit, granular consent collected at loan origination — separate consent for transactional and promotional
At loan origination, the borrower signs a loan agreement that includes a GDPR-compliant consent notice. The consent is granular: separate consent is collected for transactional communications (loan account updates, instalment notifications, regulatory disclosures — required for the loan to function), and for promotional communications (product offers, cross-sell, marketing). Consent is stored in the consent management system with a timestamp, the consent version (the exact text the borrower agreed to), and the channel scope (SMS, email, WhatsApp). Consent for transactional communications is mandatory for loan disbursement. Promotional consent is optional and clearly marked as such.
→ Transactional consent: mandatory at origination · Promotional consent: optional · Both recorded with version and timestamp · GDPR-compliant
Every send · Pre-send consent check
Consent is verified at send time — not at campaign creation time
Consent can change between campaign creation and message send. A borrower who was eligible for promotional messages at the time the campaign was built may have opted out in the intervening period. The Email & SMS Campaign AI checks consent status at the moment of send — not at the moment the campaign was configured. If consent has been withdrawn, the message is suppressed automatically regardless of what the campaign configuration says. This real-time consent check is the most important compliance gate — it prevents the scenario where a campaign built legitimately sends a non-compliant message to a borrower whose consent lapsed.
→ Consent verified at send time, not campaign build time · Withdrawal respected immediately · No override without compliance officer authorisation
Opt-out handling · Any channel
Opt-out from any channel immediately updates all channels — no silo
A borrower who replies STOP to an SMS is immediately opted out of promotional SMS. But the Email & SMS Campaign AI also cross-updates: if the borrower has opted out of promotional SMS, the opt-out is applied to promotional email and WhatsApp as well — unless the borrower has separately consented to those channels. The same logic applies in reverse: an email unsubscribe updates the SMS and WhatsApp promotional consent. Opt-outs are honoured within 24 hours per ePrivacy regulation; the Email & SMS Campaign AI applies them within 60 seconds.
→ Opt-out from any channel: cross-channel update within 60 seconds · ePrivacy rules require 24 hours · Zero promotional messages after opt-out
Annual consent refresh · GDPR requirement
Promotional consent refreshed annually — T34 trigger fires automatically at 12-month mark
The GDPR requires that consent be kept current and relevant. The Email & SMS Campaign AI tracks the date of each borrower's promotional consent and fires T34 (consent update required) at the 12-month mark — a clear, non-manipulative consent renewal request that explains what data is used for what purpose and gives the borrower an easy mechanism to update their preferences. Borrowers who do not renew promotional consent are moved to transactional-only communication. No promotional messages are sent to lapsed promotional consent until renewal.
→ T34 fires at 12-month consent anniversary · Clear renewal request · Non-manipulative · Lapsed consent: transactional-only until renewed
12Pre-send compliance checks — sender registration, template registration, DND status, GDPR consent, content classification, timing, frequency
60 secOpt-out applied across all channels — ePrivacy rules require 24 hours · Email & SMS AI applies within 60 seconds · No promotional message after opt-out
Send-timeConsent verified at send time — not campaign build time · Prevents lapsed-consent sends when consent changes between campaign creation and dispatch
24 monthsCompliance audit trail maintained — every send logged with check results · Regulatory inquiry produces complete send record within minutes
A compliance gate is not a speed bump — it is the mechanism that keeps the institution's communication programme legal
Every one of the 18,841 messages fired by the Email & SMS Campaign AI in the first 14 days of November passed 12 compliance checks before it was sent. The 12 checks add approximately 200 milliseconds to each send — an overhead that is invisible to the borrower and prevents the message from becoming an ePrivacy violation, an Ombudsman complaint, or a regulatory notice. An institution that does not run these checks is not running a faster campaign — it is running an unchecked one. When a regulator enquiry arrives, or when the Ombudsman asks for evidence that opt-out instructions were followed, the audit trail produced by the compliance gate is the only document that proves the institution operated lawfully. The Email & SMS Campaign Agent AI's compliance gate is not a constraint on campaign velocity — it is the infrastructure that makes the campaign programme sustainable at scale, without legal risk accumulating behind every send.
