The DSB proposes the following convention:
Data Holders using mobile phone numbers for use as a CDR user identifier should verify that the eligible CDR consumer has ownership of the mobile phone before using within the data holder's CDR channel.
Using mobile phone numbers as a user identifier, like email address, is becoming more common. However both mobile phone numbers and email addresses represent something more than a unique identifier: they represent a claim of ownership to a device or service used by the customer.
As such, it is considered good practice to ensure that consumers authenticating with a mobile phone number have previously verified they have access to the phone number (e.g. via a call centre verification process or digital self-service tool). This way, the data holder can be sure the consumer has access to the device associated with the phone number and hasn't incorrectly entered the phone number. This is especially important when the OTP is delivered by SMS to the consumer's mobile phone.
This registration service should be external to the CDR authentication flow.
Where data holders allow consumers to register multiple valid phone numbers (e.g. personal and business phone numbers), it is reasonable to expect each phone number can be used within the CDR authentication flow provided each is independently verified. In this situation, the mobile phone number or another such user identifier may act as a proxy for the profile selection step (refer to CX Guidelines "Account selection").