FCC seeks more prescriptive “know your customer” obligations for originating providers

The Federal Communications Commission (FCC) recently launched a new phase in its robocall mitigation agenda by proposing to convert its existing, principles-based “know your customer” (KYC) obligation into a more detailed compliance framework for originating voice service providers. In a Further Notice of Proposed Rulemaking (FNPRM) adopted at the Commission’s April 2026 meeting, the FCC seeks comment on rules that would:

• Require originating providers to collect specified customer information before activation, verify that information, retain records for four years after the customer relationship ends, and re verify information when red flags arise.


• Establish a $2,500 per call base forfeiture for KYC violations, materially increasing potential enforcement exposure, particularly for high volume traffic.


• Move KYC from a flexible due diligence concept toward a more auditable onboarding, monitoring, and recordkeeping obligation for carriers, interconnected Voice over Internet Protocol (VoIP) providers, mobile providers, and platform based providers that function as originating providers.


• Focus compliance expectations on providers serving business, high volume, foreign based, wholesale, prepaid, and non traditional traffic flows, with potential implications for direct to device and other hybrid service models where customer vetting is distributed across multiple entities.

Comments will be due 30 days after publication of the FNPRM in the Federal Register. Reply comments will be due 60 days after publication in the Federal Register.

Below, we provide context for the FNPRM and discuss implications for service providers.

Background

The FCC’s current KYC rule is part of its broader anti robocall and anti spoofing framework developed alongside STIR/SHAKEN and related call blocking initiatives. In the Fourth Call Blocking Order, the FCC required originating providers to take “affirmative, effective” measures to prevent new and renewing customers from using their networks to originate illegal calls, including “knowing [their] customers” and exercising due diligence to ensure that their services are not used to originate illegal traffic.[1]

That 2020 action created a general obligation but did not specify an onboarding checklist or verification methodology; providers were given flexibility so long as their measures actually restricted illegal traffic, with particular caution urged for high volume origination services.[2]

STIR/SHAKEN increased the importance of KYC because attestation integrity depends in part on the originating provider’s relationship with, and knowledge of, the customer. In 2024, the FCC alleged in the Lingo Telecom matter that inadequate KYC protocols contributed to incorrect STIR/SHAKEN attestations for spoofed robocalls; the consent decree required more detailed customer identification and verification procedures.[3]

The FNPRM therefore may be understood as an effort to close the gap between a general obligation to “know” customers and the more concrete compliance steps the FCC appears to expect, as part of a coordinated strategy to stop illegal calls before they enter the network, improve traceability, complement call branding and caller name initiatives, and enhance law enforcement visibility into actors using United States voice networks.

A more prescriptive KYC framework

The FNPRM does not adopt final rules but seeks comment on a more prescriptive KYC framework that would:

• Require originating providers, before granting service, to obtain at least the customer’s name, physical address, government issued identification number, and an alternate telephone number. For “high volume” customers, including business and foreign customers, the FCC asks whether providers should also collect intended use of service (for example, marketing, education, political campaigns) and the IP address from which calls will be placed, where applicable.[4]


• Ask whether providers should be required to verify customer information through supporting records, including government identification, corporate formation documents, proof of good standing, evidence that listed telephone numbers are active, third party address records, and evidence of commercial presence (such as a website, social media presence, or storefront), particularly for high volume customers.[5]


• Propose that originating providers re verify customer information when red flags appear, such as unusual traffic patterns, inconsistent foreign IP origination, dormant accounts that suddenly generate large call volumes, suspicious addresses or websites, or payment through non traceable means such as cryptocurrency.[6]


• Seek comment on requiring providers to retain KYC information and supporting records for four years after the customer relationship ends, aligning with the statute of limitations that the FCC identifies for certain spoofing and intentional Telephone Consumer Protection Act violations.[7]


• Propose amending the forfeiture guidelines to establish a $2,500 per call base forfeiture for KYC violations and explore tying KYC compliance to Robocall Mitigation Database filings, independent audits, and potential downstream blocking obligations for traffic from non compliant originating providers.[8]

Potential implications for providers

The FNPRM would apply these enhanced KYC expectations to “originating voice service providers.” For this proceeding, the FCC incorporates the definition of “voice service provider” from the Fourth Call Blocking Order, which covers entities originating, carrying, or terminating calls via traditional voice service, VoIP, or commercial mobile radio service (CMRS), while clarifying that the KYC measures at issue apply to originating providers.

These could include:

• Wireline carriers originating customer traffic


• Wireless and CMRS providers acting as the originating provider


• Interconnected VoIP providers


• Providers of Session Initiation Protocol (SIP) trunking, wholesale origination, Communications Platform as a Service (CPaaS) enabled voice, and large scale outbound calling


• Mobile network operators (MNOs) and mobile virtual network operators (MVNOs), especially where prepaid services, third party subscriber identity module (SIM) distribution, or bulk account activation are involved, and


• Platform based and hybrid providers whose role in the origination path may expose them to KYC expectations.

Why potential changes could matter to providers

For private sector providers, the FNPRM highlights several key issues:

• More formal compliance programs: Providers may need to move from ad hoc customer vetting to documented, repeatable KYC procedures, including onboarding checklists, risk based review, and traffic based monitoring.


• High volume and enterprise risk: The focus on high volume, business, foreign based, and lead generator customers suggests greater scrutiny of enterprise, wholesale, and platform models and potential need for more robust risk tiering.


• Definitions drive scope: How the FCC ultimately defines “physical address,” “new customer,” “renewing customer,” and “high volume” will determine when heightened diligence is triggered and how broadly the obligations apply.


• Data governance and privacy: Expanded collection and four year retention of sensitive customer identification data will raise privacy, cybersecurity, and internal control questions, particularly for smaller providers and those with indirect distribution models.


• Integration with existing obligations: Tying KYC more directly to STIR/SHAKEN, Robocall Mitigation Database filings, and potential blocking obligations could transform KYC from a background obligation into a central element of enforcement, certification, and traffic continuity risk.[9]

The authors are available to provide more information on the developments of this proceeding, prepare comments or replies, and advise on final rule implications.

 

_{[1] Advanced Methods to Target and Eliminate Unlawful Robocalls, Fourth Report and Order, 35 FCC Rcd. 15221, 15232 33 paras. 32–34 (2020); 47 C.F.R. § 64.1200(n)(4).}

_{[2] Id. at paras. 32–34.}

_{[3] Lingo Telecom, LLC, Notice of Apparent Liability for Forfeiture, 39 FCC Rcd. 6027, para. 1 (2024); Lingo Telecom, LLC, Order, 39 FCC Rcd. 9304, 9316 17, attach. 1 (2024).}

_{[4] Advanced Methods to Target and Eliminate Unlawful Robocalls; Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Further Notice of Proposed Rulemaking, CG Dockets 17‑59 & 02‑278, FCC‑CIRC2604‑02 (rel. Apr. 9, 2026) (“KYC FNPRM”), paras. 9, 13.}

_{[5] KYC FNPRM paras. 18, 21.}

_{[6] Id. at paras. 21 23.}

_{[7] Id. at para. 24.}

_{[8] Id.; See also para 27 & app. A.}

_{[9] Paras. 9–13, 16, 18, 20, 24 & 27.}