Question

Are we required to send the OTP (One-Time Password) to international phone numbers in the user identifier consent screen for Data Holders? Or are we only required to send them to Australian mobile numbers?

Answer

The relevant sections of the standards relating to this question are in CDS Authentication Flows:

• Data Holders MUST provide a one-time password (OTP) to the customer through an existing channel or mechanism that the customer can then enter into the redirected page
• The delivery mechanism for the OTP is at the discretion of the Data Holder but MUST align to existing and preferred channels for the customer and MUST NOT introduce unwarranted friction into the authentication process

There is no requirement to use SMS for this OTP.  The OTP is required to be delivered via an existing mechanism and not introduce additional friction. Otherwise the means of providing the OTP is at the discretion of the data holder.