FCC Proposes Stronger “Know Your Customer” Rules; Will Consider “Know Your Upstream Provider” Rulemaking At May 20 Meeting

The Federal Communications Commission’s (FCC) efforts to combat illegal robocalling are poised to expand soon, with the FCC adopting a Further Notice of Proposed Rulemaking (KYC FNPRM) by a 3-0 vote at the April 30, 2026 FCC Open Meeting, seeking comment on additional measures to bolster the Commission’s “Know-Your Customer” (KYC) requirements. 

The Commission’s KYC rules set forth standards for originating voice service providers (OSPs) for verifying the identity of their customers in connection with opening an account with the OSP. The KYC FNPRM aims to “provid[e] additional clarity to fill the gap between [the FCC’s] current general KYC requirement and the types of KYC steps necessary to protect consumers” to “make it more difficult for scammers to originate illegal calls and to enforce against them when they do[.]” Specifically, the KYC FNRPM seeks comment on:

1. Customer identification requirements for new and renewing customers;
2. Requirements for OSPs to verify, retain, and re-verify customer information;
3. Requiring more information from certain customers, including high-volume customers;
4. How new KYC requirements can complement the Commission’s parallel call branding and caller name requirements currently under consideration.

The KYC FNPRM also proposes assessing penalties for violations of the Commission’s KYC rule on a per-call basis. Comments and Reply Comments on the KYC FNPRM are due 30 days and 60 days after publication in the Federal Register, respectively, which has yet to occur. 

In addition, on April 29, 2026, the FCC released a draft “Know-Your-Upstream-Provider” FNPRM (KYUP FNPRM), to be voted on at the Commission’s May 20, 2026 Open Meeting. 

We provide a brief preview of the draft KYUP FNPRM at the end of this alert.

Commission Proposes New KYC Requirements

Customer Identification Requirements. The KYC FNPRM seeks comment on its proposals to require enhanced customer identification information collection from OSPs for both new and renewing customers. In particular, the KYC FNPRM invites comment on requiring OSPs to obtain and retain from new and renewing customers, at minimum:

• Name;
• Physical address;
• Government-issued identification number; and
• Alternate telephone number.

For high-volume customers, the KYC FNPRM invites comment on requiring the collection of information regarding the intended use of the service (e.g., marketing, education, political campaign, etc.) and the customer’s IP address from which each call will be placed. The KYC FNPRM states that collecting such information will deter scammers from accessing the network and will facilitate enforcement efforts to identify such scammers if they ultimately do gain access to the network. 

The KYC FNPRM invites comment on its proposals, asking commenters to identify privacy concerns the proposals might implicate, the efficacy of the KYC FNPRM’s proposed expanded information collection, and how to define the terms “physical address” and “new” and “renewing customers” as they relate to the proposals, among other issues.

The FCC seeks comment on whether the customer information requirements proposed should vary based on the specific characteristics of the service at issue – in particular, whether the FCC should modify its information collection requirements based on whether a customer is more likely to make illegal calls (with the KYC FNPRM suggesting that determination may be based on customers subscribing to high-volume services, foreign-based customers, and other factors), and whether a service is prepaid or postpaid.

Customer Information Verification and Retention. The KYC FNPRM also invites comment on a variety of proposals to impose expanded customer information verification and record retention requirements on OSPs. Again focusing on high-volume customers specifically, the KYC FNPRM invites comment on requiring OSPs to verify customer information by collecting copies of government-issued identification, corporate formation records, confirmations of telephone numbers, and other methods for verifying the customer information collected is accurate. 

The FCC also tentatively concludes that there are certain “red flags” that raise concerns that may warrant closer verification, including:

• Providing a registered agent or virtual office as a physical address;
• Registering a corporate address using a residential address or random commercial location;
• Lacking a commercial presence or operating a suspicious website;
• Using a suspicious email address;
• No registration record in the state the customer claims to be located or incorporated in; and
• Paying for service through non-traceable means, such as using cryptocurrency.

The KYC FNPRM also invites comment on whether the FCC should require re-verification of customer information in response to “changes in traffic patterns or other red flags that may suggest illegal calls[.]” The FCC notes that it “expect[s] that originating providers will monitor traffic on their networks to determine if there are customer information inconsistencies such as a domestic U.S. company transmitting traffic from a foreign-based IP address or dormant accounts suddenly reappearing and sending large volumes of calls.” 

Alternatively, the KYC FNPRM seeks comment on requiring re-verification on a regular basis, rather than in response to changing traffic patterns. Finally, the KYC FNPRM invites comment on requiring OSPs to retain KYC information and supporting records for four years, consistent with the statute of limitations for spoofing or intentional violations of Section 227(b) of the Communications Act.

Enforcement. Significantly, the KYC FNPRM proposes to codify a per-call base forfeiture of $2,500 for each illegal call under 47 C.F.R. § 64.1200(n), which imposes the affirmative KYC requirements for OSPs. In doing so, the Commission states that alternative approaches, such as assessing fines on a “per customer” basis would fail to capture the number of illegal calls made and are less likely to encourage compliance.

The Commission also seeks comment on alternatives to adopting specific KYC requirements, such as issuing baseline KYC guidance or expectations that act as a regulatory safe harbor for OSPs against any enforcement action. The KYC FNPRM also invites further comment on other enforcement measures it could consider to deter illegal calls, including whether certification of KYC compliance should be made as part of filings in the Commission’s Robocall Mitigation Database, and whether the Commission should consider requiring OSPs to obtain independent verification of their KYC compliance, such as through an independent auditor. Notably, the KYC FNPRM also invites comment on the feasibility of extending liability for failure to comply with KYC requirements to any downstream provider of the OSP.

Other Matters. In addition, the KYC FNPRM invites comment on:

• Whether enhanced KYC requirements can prevent or deter criminal use of communications networks not involving illegal calls;
• Implementation of the proposed new KYC requirements, including whether the rules should only apply to new or renewing customers acquired after the effective date of any new KYC rules adopted, and whether prospective new KYC rules will require OMB approval pursuant to the Paperwork Reduction Act;
• Implementation timelines for any new KYC requirements adopted, and whether those timelines should differentiate between high-volume customers and other customers;
• The Commission’s conclusions that Sections 201(b), 227(e), and 251(e) of the Communications Act and the Truth in Caller ID Act provide the requisite authority to implement the enhanced KYC rules proposed in the KYC FNPRM; and
• The Commission’s conclusions that its national security authority likewise serves as a basis for adopting the rules proposed in the KYC FNPRM.

May 2026 KYUP FNPRM

The draft “Know Your Upstream Provider” FNPRM, slated for consideration at the May 20 Open Meeting, proposes sweeping changes in support of the FCC’s efforts to combat illegal robocalling. Among other things, if adopted, the robust 93-page draft KYUP FNPRM would propose changes to the FCC’s approach to STIR/SHAKEN compliance and call attestation standards, oversight and obligations for the current STIR/SHAKEN Governance Authority (GA), and compliance obligations and information collection obligations for downstream voice service providers (VSPs).

The proposed rule changes in the draft KYUP FNPRM would include:

• Establishing baseline expectations for all VSPs, including imposing new information collection obligations, compliance evaluations, due diligence obligations, ongoing monitoring responsibilities, and significantly, expanding downstream VSPs’ obligations to take affirmative actions with respect to potentially illegal traffic from upstream providers;
• Requiring downstream VSPs to collect general business, financial, internet commercial presence, ownership and affiliate, operational, and service information from upstream providers;
• Adopting new policies and exercising more significant oversight over the current STIR/SHAKEN GA;
• Codifying STIR/SHAKEN attestation levels established in the ATIS standards, setting out requirements for satisfying attestation-level criteria, and codifying prohibitions on improper attestations;
• Repealing undue hardship extensions for STIR/SHAKEN attestations, including for certain categories of satellite providers and VSPs unable to obtain an SPC token; and
• Requiring all providers serving end users to make attestation-level decisions.

The draft KYUP FNPRM would also propose redefining or providing new interpretations for a wide range of critical terms in the Commission’s rules implementing the STIR/SHAKEN protocol and the TRACED Act. This includes, but is not limited to, adopting revised definitions for “Voice Service” and “Voice Service Provider”; “Origination” and “Originating Provider”; and “Intermediate Provider,” “Gateway Provider,” and “Non-Gateway Intermediate Provider”.

The sheer scope of the draft KYUP FNPRM warrants close attention from potentially impacted entities. If adopted, the draft KYUP NPRM would propose that the new rules go into effect 12 months after Federal Register Publication of a Report and Order, or 30 days after approval by the Office of Management and Budget for rules containing new or modified information collections subject to review under the PRA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.