As lawyers like to say, bad facts make bad law. The FCC's February 4, 2025 Notice of Apparent Liability (NAL) against Telnyx is the latest such example. The FCC is imposing a $4.5M fine against Telnyx for its failure to properly "KYC" a customer that made roughly 1,800 prerecorded scam calls in their first day of service before Telnyx caught the issue and shut them off. In other words, the FCC fined Telnyx $2,500 per call for one (or two) KYC rule violations.
This is the FCC's first enforcement action regarding a carrier's KYC practices, so this is the first time since the FCC issued its 2021 "Know Your Customer" requirement that the industry is given any real guidance on what the agency's expectations are. (To be fair, the FCC's August 2024 $1M Consent Decree with Lingo was nominally enforcing the STIR/SHAKEN attestation rules, but the Decree did contain "enhanced" KYC rules, so we know what a super-charged KYC program could look like.) The FCC has never defined its "KYC" requirement. The rule just says that a carrier must "take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic." 47 C.F.R. § 64.1200(n)(4). This is obviously not a self-explanatory requirement. The Commission's Telnyx NAL cites the August 2024 Lingo Consent Decree as KYC measures one could take.
The Mystery Customer's KYC and Traffic
The facts here are fairly bizarre (and not entirely clear, as the factual description of the events leading to the NAL is heavily redacted). Here, two new, clearly related customers signed up for Telnyx's service on February 6, 2024. Telnyx's KYC process collected a name, a non-free email address, an IP address, and a physical address. The details were, admittedly, not coherent. The email domain was from a freshly created brand, the IP addresses tied to locations in the UK, and the address for each turned out to be the address of a Sheraton hotel in Toronto. Some pretty obvious questions apparently went unasked before turning the accounts up for service, which they paid for in Bitcoin. Hindsight can be harsh.
This customer's traffic was outrageously bad. That first evening, they sent prerecorded calls pretending to be the FCC's "Fraud Prevention Team" (there is no such thing). And even more bizarrely, the calls apparently went to many FCC Staffers and even some of the FCC's family members. What are the odds?? Seems fishy, for sure. One called party reported that they were told to pay the FCC $1000 in Google gift cards. From the evening of February 6, until Telnyx discovered the problem and stopped (mitigated) the traffic the very next day, the two accounts had pushed out almost 1,800 prerecorded calls.
The FCC held that Telnyx's KYC was deficient. Again, there are redacted details preventing the public from learning what to do (or not to do) based on Telnyx's case. See paragraphs 10 and 14. There are suggestions Telnyx used a third-party verification service, but the FCC seemed unmoved: "the [third-party] service indicated merely that the fake identities [were not previously associated with fraudulent activity.]"
The FCC doesn't prescribe any necessary or sufficient practices. Instead, it provides the following menu of options that may or may not be sufficient:
Measures that may contribute to satisfying the KYC obligation include, for example, obtaining supporting records to verify the customer's identity such as copies of government issued identification, corporate formation records, proof of good standing, a federal employer identification number or business registration number, an active telephone number, third party records of a customer's physical address, type of goods or services offered, and verification of commercial presence.
That might work, but no promises, of course. And if they give you someone else's documents pretending to be another real company, which happens routinely, they don't tell you how to suss out the fakes.
The Forfeiture
The FCC's NAL proposes a forfeiture of $4,492,250. First, the Commission holds that it can skip the preliminary citation requirement because it now regards a carrier's RMD filing as a "license, permit, certificate, or other authorization issued by the Commission." The FCC did not provide much explanation for that conclusion, which isn't obvious as carriers file in the RMD without any FCC gatekeeping role.
Then the FCC had to decide the base forfeiture amount. But there's no law on that either. The FCC's rules prescribe no specific punishment for failing to KYC a customer properly. So they had to look for "an analogous violation," which they found in Section 64.6305(g)(1) of its rules. That rule prohibits intermediate providers from taking traffic from another carrier whose name isn't in the FCC's RMD. That's easy: you don't turn up trunks if the potential wholesale customer's name isn't in the RMD. If they are in the RMD (and, ideally, their certification has been updated since the latest required update window of late February 2024), you can serve them. That's a simple public-database check. It doesn't involve the nuanced judgment calls that the FCC apparently would have originating carriers entertain when evaluating the KYC bona fides of new customers. But, whatever the wisdom of that decision, the FCC concludes that "both obligations exist to protect the U.S. voice network and consumers from illegal robocalls." Seatbelt and drunk-driving laws both exist to promote safer roads, but we can all agree that they can and do have different punishments. Interestingly, the FCC didn't mention its Lingo NAL in this section of the discussion. In Lingo, the FCC set a $1,000 per call forfeiture for violating the STIR/SHAKEN attestation-rating rules, which turn on the extent to which the carrier has a verified relationship with the caller. But in a case addressing essentially the same issue, the FCC went with a 2.5x multiplier for Telnyx over the $1,000/call fine that it hit Lingo with.
Finally, the FCC, with little explanation, decides to multiply its new $2,500 fine not against the two KYC failures, but rather the 1,797 calls those two accounts made in the day in which they were on Telnyx's system. $4.5M instead of $5k. One suspects Telnyx won't roll over on this one, but we should all live with eyes wide open in this rulemaking-via-enforcement environment. Knowing your customer is crucial to avoiding the FCC's ire.
In addition to those curious assumptions and conclusions, the FCC made no mention of, among other things, its statutory authority to continue requiring carriers to mitigate robocalls after they have implemented STIR/SHAKEN. (Recall that the TRACED Act only authorizes the FCC to require a "robocall mitigation program" "during the time of a delay of compliance" with the new STIR/SHAKEN rules. In an era where statutory authority is supposed to matter again, this is a curious omission.) And while the three Commissioners who endorsed this NAL likewise make no mention of the Supreme Court's Jarkesy decision, Commissioner Simington did, giving it as his sole reason for dissenting in light of the Commission's refusal to recognize Telnyx's due process rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
