FCC Seeks Additional KYC Requirements for Voice Service Providers

​On April 9th, the Federal Communications Commission (FCC) issued a draft Notice of Proposed Rulemaking (NPRM) would take the FCC’s informal “know your customer” expectations for originating voice service providers (VSPs) and turn them into a formal, detailed KYC rule with real per‑call enforcement teeth.

Although the Commission has not yet adopted the NPRM, the draft makes clear that VSPs, by virtue of their being the first telecommunications service provider in the call path, are essentially the “first line of defense” against illegal robocalls and scam traffic. The proposed rules will force them to vet, verify, and monitor their customers in a structured, documentable way before letting their traffic onto the network.

Why is the FCC Proposing New KYC Rules?

The Commission has offered several interlocking explanations as to why new KYC rules are required.

1. Vague Existing KYC Expectations: Under current FCC robocall rules, originating and gateway providers are supposed to take “affirmative, effective” steps to know their customers and avoid facilitating illegal traffic, but this standard comes mostly from orders, consent decrees, and enforcement guidance rather than a detailed, codified rule. The Commission and enforcement staff have repeatedly criticized some providers for treating this as aspirational rather than operational.

Certain VoIP and least‑cost routing providers onboarded high‑volume dialers with minimal identity checks and little or no traffic monitoring, then disclaimed responsibility when traceback efforts showed illegal calls originating on their networks. Enforcement cases and tracebacks have exposed a pattern where bad actors cycle quickly through lightly‑vetted providers, taking advantage of weak or non‑existent KYC. The draft NPRM reflects a view that a purely principles‑based KYC regime has not produced consistent behavior across the ecosystem, especially among smaller or “friction‑light” providers.

2. STIR/SHAKEN Call Authentication Insufficient: The FCC and industry stakeholders invested heavily in STIR/SHAKEN and related caller ID authentication obligations after the TRACED Act, on the theory that authenticated caller ID would make spoofing harder and traceback easier. While that has improved visibility, it has not solved the core problem. Spoofed or fraud‑originated calls continue at high volume even where STIR/SHAKEN is implemented, because bad actors can still obtain or hijack legitimate numbers and originate authenticated calls through weakly‑controlled providers. The FCC is looking to pair call authentication with stronger KYC, to ensure originators know who they are vouching for when they put authenticated calls onto the network.

3. Ongoing Consumer Harm and Fraud Trends: Consumer protection metrics remain grim despite earlier robocall initiatives. Illegal scam calls still represent a large share of complaints and cause substantial consumer financial losses, especially in banking, government‑impersonation, and tech‑support scams. The FCC and state AGs have highlighted that many of these calls can be traced back to small or lightly‑regulated originators that did not meaningfully vet their customers. The draft NPRM couches the KYC expansion squarely as a response to these persistent harms and the view that originating providers are uniquely positioned to stop bad traffic before it enters the network.

What The New KYC Regime Would Look Like

While the detailed text of the draft NPRM will be refined in the rulemaking process, summaries point to several concrete components.

Prescriptive Onboarding and Identity Verification: The NPRM contemplates requiring originating providers to collect defined data elements before activating service, including: (i) legal name and DBAs; (ii) a valid, physical address; and (iii) government‑issued ID and business registration number. This is a notable shift from current expectations, which focus on “reasonable efforts” and do not enumerate specific data elements or verification methods.

Risk‑Based Customer and Traffic Assessment: The draft NPRM explicitly asks whether KYC requirements should differ by customer type, service model, and risk profile, which suggests the FCC is considering a risk‑based KYC framework, where higher‑risk models (OTT apps, prepaid, wholesale VoIP, international origination) face stricter onboarding and monitoring duties than low‑risk, tightly controlled enterprise trunks.

Ongoing Monitoring and Red‑Flag Response Requirements: The proposed rules would formalize expectations that originating providers monitor call patterns for red flags (e.g., extremely high call volumes, short call durations, high complaint rates, tracebacks, etc), investigate customers whose traffic exhibits those indicators, and take appropriate graduated remedial actions. This converts what has often been “good‑practice” guidance into an obligatory surveillance and response program for customer traffic.

Documentation, Recordkeeping, and Auditability: The NPRM contemplates explicit recordkeeping requirements, including retention of onboarding KYC data, records of verification steps taken, documentation of risk assessments and monitoring results, and logs of remedial actions taken in response to suspicious traffic. Such records would be available to the FCC and potentially other enforcement partners, enabling more direct scrutiny of whether a provider’s KYC process was adequate in cases where illegal calls are traced back to its network.

Per‑Call Forfeiture Exposure: Perhaps the most aggressive enforcement change is the idea of per‑call penalties for KYC failures. Rather than treating KYC violations as a single “program failure,” the FCC proposes to assess forfeitures on a per‑call basis, explicitly to tie penalties to the volume of illegal calls facilitated. That means that if a provider inadequately vets a customer who then places 100,000 illegal calls, the theoretical forfeiture exposure could be multiplied by that call count. This mirrors the per‑call structure of TCPA damages and reflects a clear desire to make lax KYC practices economically intolerable.

Practical Implications for Originating Voice Service Providers

If implemented close to current form, the NPRM would likely require originating providers to

redesign onboarding flows to collect specified identity data, integrate third‑party verification, and gate activation on KYC completion. They would also be required to build or enhance monitoring systems to flag anomalous call patterns and tie those flags to customer accounts.

The new rules also contemplate the need to formalize risk scoring for different customer types and services, with correspondingly different controls. VSPs would also need to harden documentation practices to show, after the fact, that KYC and monitoring were carried out in good faith and pursuant to FCC requirements.

Taken together, the draft NPRM signals that the FCC is prepared to move KYC from a loose expectation to a foundational compliance obligation for originating voice providers. If adopted in anything like its current form, VSPs will need to treat customer due diligence, traffic monitoring, and documentation as core parts of their product design, not back‑office hygiene.

Providers that invest early in structured onboarding, risk‑based monitoring, and auditable records will be better positioned both to absorb the operational impact of the final rules and to defend themselves when traceback or enforcement inevitably comes calling.