FCC Proposes Expanded "Know Your Customer" Requirements For Originating Providers

The Federal Communications Commission (“FCC” or “Commission”) has released a draft Notice of Proposed Rulemaking that would significantly expand and formalize the Commission’s existing “Know Your Customer” (“KYC”) expectations for originating voice service providers (the first providers in the call path or the providers serving the calling party).

As previewed in Chairman Carr’s recent blog post, the draft item is intended to strengthen the FCC’s anti-robocall framework by tightening the obligations of originating providers to identify, verify, monitor, and retain information about their customers before and during the provision of service.

Although the item has not yet been adopted and remains subject to change, the message is clear: the FCC is considering moving away from a general, principles-based KYC standard toward a far more detailed compliance regime. If adopted in anything close to its current form, the proposal could require meaningful operational changes for many providers, particularly those offering consumer-facing, app-based, nomadic VoIP, OTT, prepaid, or other lower-friction services.

The draft item is scheduled for consideration at the FCC’s April 30, 2026, Open Meeting. If adopted, initial comments will be due 30 days after publication in the Federal Register and reply comments will be due 60 days after publication. We will circulate an update once those deadlines are announced.

Key Proposals in the Draft NPRM

The FCC’s draft NPRM seeks comment on whether to impose more specific and rigorous KYC requirements on originating providers, including:

• Minimum customer information collection requirements.
  The FCC proposes requiring originating providers to obtain, at a minimum, each customer’s name, physical address, government-issued identification number, and alternate telephone number before activating service.
• Additional requirements for certain higher-volume customers.
  For some customers, particularly those associated with higher-volume calling, the FCC asks whether providers should also be required to collect information such as the intended use of the service and the IP address from which calls will originate, where applicable.
• Verification, not just collection, of customer information.
  The draft NPRM asks whether providers should be required to verify customer information through supporting documentation, such as government-issued identification, business formation documents, proof of good standing, confirmation of active telephone numbers, physical address, and proof of commercial presence.
• Completion of KYC before service activation.
  The FCC seeks comments on whether providers should be required to complete verification before allowing a customer to begin originating calls.
• Ongoing monitoring and re-verification.
  The proposal asks whether providers should be required to re-verify customer information when suspicious conduct, red flags, or unusual traffic patterns arise.
• Extended record retention obligations.
  The FCC seeks comment on requiring providers to retain KYC records for four years after the customer relationship ends.
• Risk-based or differentiated compliance obligations.
  Importantly, the Commission asks whether KYC requirements should vary depending on customer type, service model, prepaid versus postpaid status, or the relative risk associated with the customer or traffic profile.
• Per-call forfeiture exposure for noncompliance.
  The draft NPRM also proposes a per-call forfeiture framework for KYC violations, which could materially increase enforcement exposure for providers whose onboarding, verification, or monitoring practices are later deemed insufficient.

Why This Matters

If adopted in anything close to its current form, the proposal could have significant operational, compliance, and business implications for originating providers.

• More prescriptive onboarding obligations.
  Providers that currently rely on streamlined onboarding or collect limited customer information may need to redesign customer intake and activation workflows.
• Increased compliance burdens.
  More robust verification, retention, and monitoring requirements could require additional internal resources, third-party tools, policy updates, and ongoing compliance oversight.
• Heightened privacy and customer-friction concerns.
  For providers serving consumer-facing or privacy-sensitive use cases, more intrusive customer identification requirements may raise legitimate privacy, user-experience, and customer acquisition concerns.
• Disproportional burdens across service providers.
  Not all originating providers present the same risk profile, and not all customers resemble high-volume enterprise calling operations. A uniform KYC regime could impose disproportionate burdens on legitimate providers serving lower-volume, consumer-focused, or privacy-conscious customers.
• Substantial enforcement risk.
  Because the FCC is proposing a per-call forfeiture framework, allegedly deficient KYC practices could expose providers to significant penalties.
• A meaningful opportunity to shape the final rules.
  The FCC is expressly seeking comments on whether any final requirements should remain flexible and risk based. That gives providers an important opportunity to help build a record in favor of tailored, proportionate obligations rather than a one-size-fits-all regime.

The Opportunity to Shape the Record

Importantly, the FCC is still asking the right threshold questions and is expressly seeking comments on whether any final requirements should remain flexible and risk-based in the final version of the NPRM. That gives providers an important opportunity to help build a record in favor of tailored, proportionate obligations rather than a one-size-fits-all regime.

The draft NPRM seeks comment on whether KYC requirements should vary depending on customer type, service model, prepaid versus postpaid status, and overall risk. That leaves room for affected providers to argue that any final rules should remain flexible, proportionate, and risk-based, not uniformly imposed across the board.

In our view, that is where provider participation will matter most.

Comments filed in this proceeding can help build a record showing that the Commission’s legitimate anti-robocall objectives can be advanced without unnecessarily burdening lawful providers whose services, customers, and traffic patterns differ markedly from those associated with illegal robocalling. Providers may wish to emphasize, for example, that enhanced obligations should be calibrated to customer risk, calling volume, and the nature of the service being offered, rather than applied identically to all originating providers.

That basic principle is consistent with the arguments The CommLaw Group has already advanced in related proceedings on behalf of the Consumer Access & Choice Coalition (“CACC”), including the Reply Comments filed in the Caller ID proceeding.

A Related Coalition Effort Is Already Underway

As discussed in our earlier advisory announcing the formation of CACC, The CommLaw Group has been working with consumer-focused and innovative communications providers to ensure that their interests are meaningfully represented in FCC robocall and caller authentication proceedings.

This new KYC proposal is precisely the type of proceeding in which coalition participation may prove especially valuable.

Providers that are concerned that expanded KYC requirements may be unduly burdensome, impracticable in certain contexts, or unnecessarily intrusive of legitimate customer privacy interests should consider participating in the rulemaking process early. A coalition structure can provide similarly situated providers with an efficient mechanism to coordinate advocacy, strengthen the record, and share the costs of participation.

The issues raised in this proceeding also overlap with concerns addressed in our prior advisory, FCC Seeks Comment on New Proposed Caller Identity Verification Requirements, Tightened STIR/SHAKEN Rules, and Restrictions on Legitimate Spoofing, which previewed the Commission’s broader movement toward more aggressive upstream identity and authentication requirements.

What Providers Should Do Now

Providers should begin evaluating their existing onboarding and customer verification practices now, even before the FCC votes on the item.

At a minimum, providers should review:

• what customer information they currently collect before assigning numbers and enabling outbound calling;
• whether and how they verify that information;
• what internal procedures they use to identify suspicious traffic or anomalous customer behavior;
• how long they retain customer identity records and related documentation; and
• whether their service model could be disproportionately affected by a rigid or overly generalized KYC framework.

Providers should also consider whether they want to participate in the upcoming comment cycle, either individually or through a coordinated coalition effort.

Next Steps

CommLaw Group will continue monitoring this proceeding closely. If the FCC adopts the draft NPRM at its April 30 meeting, we will provide a follow-up update once the comment and reply deadlines are established following Federal Register publication.

In the meantime, providers that may be affected by these proposed rules should begin assessing their current compliance posture and considering whether to engage in the proceeding. For providers interested in participating through a coordinated advocacy effort, CommLaw Group is continuing its representation of CACC and would be pleased to discuss participation options.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.