April 9, 2026 FCC FACT SHEET* Advanced Methods to Target and Eliminate Unlawful Robocalls; Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 Further Notice of Proposed Rulemaking – CG Docket Nos. 17-59 and 02-278 Background: Originating voice service providers are best positioned to prevent illegal calls by screening new or renewing customers before they make calls. Although Commission rules require these providers to take “affirmative, effective” measures to know its customers, some are not doing enough. The result is more illegal calls that defraud American consumers and open our communications network to vulnerabilities. This lack of diligence can also make it difficult for law enforcement to identify criminals that use the network for drug deals, violent crimes, and human trafficking. In this Further Notice of Proposed Rulemaking, the Commission would seek comment on the specific information originating providers must obtain from customers before they can make calls, how they should verify that information, and how it can enforce violations proportionate to the harms they cause. This would enhance the existing “Know-Your-Customer” (KYC) requirement, providing additional clarity to fill any gaps between general KYC requirements and the types of rigorous steps necessary to protect consumers from illegal calls. What the Notice of Proposed Rulemaking Would Do: • Propose to require: o That originating voice service providers including traditional voice service, commercial mobile radio service (CMRS), and interconnected Voice over Internet Protocol (VoIP) service providers be assessed penalties for violations of the KYC rule on a per call basis to best correlate penalties to the volume of illegal calls made, and thus the harm caused by any one caller. • Seek comment on: o Requiring originating providers to obtain the name, physical address, government issued identification number, and alternative telephone number of any new and renewing customer before granting access to its services and, for high volume customers, also obtain the intended use of the service (e.g., marketing, education, political campaign) and the customer’s IP address from which each call will be placed (if applicable); o Requiring originating providers to obtain supporting records to verify the customer’s identity, such as copies of government issued identification; o Whether originating providers must retain KYC information and supporting records for a minimum of four years following termination of the customer relationship to allow an opportunity to investigate and potentially take enforcement actions relating to illegal calls before expiration of the statute of limitations; o Whether re-verification of KYC customer information should be triggered by unusual activity or changes in traffic patterns or other red flags that arise during the customer relationship regarding the making of illegal calls; o Whether the Commission should require collection of more customer information from certain customers based on certain risk factors; o Whether KYC information standards should vary for prepaid and postpaid services; and, o Whether enhanced KYC requirements can prevent or deter other criminal uses of communications networks. * This document is being released as part of a “permit-but-disclose” proceeding. Any presentations or views on the subject expressed to the Commission or its staff, including by email, must be filed in CG Docket Nos. 17-59, and 02-278, which may be accessed via the Electronic Comment Filing System (https://www.fcc.gov/ecfs). Before filing, participants should familiarize themselves with the Commission’s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission’s meeting. See 47 CFR § 1.1200 et seq. Federal Communications Commission FCC-CIRC2604-02 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) Advanced Methods to Target and Eliminate ) CG Docket No. 17-59 Unlawful Robocalls ) ) Rules and Regulations Implementing the Telephone ) CG Docket No. 02-278 Consumer Protection Act of 1991 ) FURTHER NOTICE OF PROPOSED RULEMAKING* Adopted: [ ] Released: [ ] Comment Date: (30 days after date of publication in the Federal Register) Reply Comment Date: (60 days after date of publication in the Federal Register) By the Commission: I. INTRODUCTION 1. Combatting illegal calls is our top consumer protection priority, and we are taking a holistic approach by attacking them at every point in their lifecycle. This includes stopping illegal calls before they enter the phone network, requiring intermediate providers to block them, and giving consumers more information to decide whether they want to answer the calls that reach their phones. 2. The most effective way to prevent illegal calls from reaching American consumers is by ensuring they never enter the network. Originating voice service providers are best positioned to do that by screening new or renewing customers before they make calls.1 Although Commission rules already require originating providers to take “affirmative, effective” measures to “know[] its customers,”2 some originating providers do not do enough. The result is more illegal calls that defraud American * This document has been circulated for tentative consideration by the Commission at its April 30, 2026 open meeting. The issues referenced in this document and the Commission’s ultimate resolutions of those issues remain under consideration and subject to change. This document does not constitute any official action by the Commission. However, the Chairman has determined that, in the interest of promoting the public’s ability to understand the nature and scope of issues under consideration, the public interest would be served by making this document publicly available. The Commission’s ex parte rules apply and presentations are subject to “permit-but disclose” ex parte rules. See, e.g., 47 CFR §§ 1.1206, 1.1200(a). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission’s meeting. See 47 CFR §§ 1.1200(a), 1.1203. 1 For purposes of this Further Notice, we use the definition of “voice service provider” that we used in the Fourth Call Blocking Order. Specifically, “voice service provider” means any entity originating, carrying, or terminating voice calls through time-division multiplexing (i.e., “traditional” voice service), Voice over Internet Protocol (VoIP), or commercial mobile radio service (CMRS), unless otherwise noted. See Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Fourth Report and Order, 35 FCC Rcd 15221, 15222, para. 2, n.2 (2020) (Fourth Call Blocking Order). The KYC measures we discuss apply only to originating voice service providers (“originating providers”). 2 See 47 CFR § 64.1200(n)(4). In addition, this rule requires originating providers to “exercis[e] due diligence in ensuring that its services are not used to originate illegal traffic.” Federal Communications Commission FCC-CIRC2604-02 consumers3 and open our communications network to vulnerabilities.4 Beyond allowing illegal calling, this lack of diligence on the part of some originating providers can make it difficult for law enforcement to identify criminals that use the telephone network to perpetrate drug deals, violent crimes, and human trafficking. 3. Here we seek to enhance the existing “Know-Your-Customer” (KYC) requirement providing additional clarity to fill the gap between our current general KYC requirement and the types of rigorous KYC steps necessary to protect consumers. Specifically, we: (1) seek comment on customer identification requirements for new and renewing customers; (2) seek comment on requirements for originating providers to verify, retain, and re-verify customer information; (3) seek comment on requiring more information from certain customers including high-volume customers; (4) seek comment on how any new KYC requirements can complement call branding and caller name requirements the Commission may adopt; and (5) propose that the Commission assess penalties for violations of the KYC rule on a per call basis. II. BACKGROUND A. Financial Sector 4. KYC is a fundamental concept guiding customer onboarding procedures in the financial sector. For example, the Bank Secrecy Act (BSA) of 1970, as amended, and its implementing rules, impose record retention and reporting requirements on financial institutions to help detect and prevent money laundering.5 In 2001, Congress amended the BSA to require the U.S. Treasury Department (Treasury) to prescribe regulations “setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution.”6 Specifically, financial institutions must “verif[y] the identity of any person seeking to open an account to the extent reasonable and practicable” and “maintain[] records of the information used to verify a person’s identity including name, address, and other identifying information.”7 5. The Treasury requires banks to implement a written Customer Identification Program 3 See Call Authentication Trust Anchor, WC Docket No. 17-97, Notice of Proposed Rulemaking, 40 FCC Rcd 3467, 3467-68, para. 1 (2025) (noting that victims of calling scams are defrauded of an estimated $850 million annually with added costs for wasted time and nuisance increasing costs into the billions). 4 For example, denial of service attacks can involve overwhelming emergency call centers with illegal calls to block the provision of emergency services. 5 See generally 12 U.S.C. §§ 1829b, 1951-1960; 31 U.S.C. §§ 5311-5336; 31 CFR Chapter X. Congress enacted the BSA to address money laundering in the United States. The BSA, as amended, requires businesses to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, or regulatory investigations, risk assessments or proceedings, or in intelligence or counterintelligence activities, including analysis, to protect against terrorism. Financial institutions must also have an Anti-Money Laundering Program (AML Program) to ensure compliance with BSA requirements, which must include designation of a compliance officer, an employee training program, and independent audits to monitor compliance. 31 U.S.C. § 5318(h)(1); 31 CFR § 1020.210. The AML program requirements modernized the U.S. anti-money laundering framework, requiring financial institutions to create risk-based programs, enhancing whistleblower incentives, and expanding subpoena powers for foreign bank records, all of which were aimed at fighting financial crime, fraud, and terrorism financing. 6 USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272, 317, § 326 (2001); 31 U.S.C. § 5318(l)(1). Section 326 was enacted after the 9/11 attacks to combat terrorism-related financing and money laundering by requiring financial institutions to verify customer identities, helping stop illicit funds from moving through the U.S. financial system, thus preventing future terrorist acts by tracking funding and identifying individuals involved. 7 31 U.S.C. § 5318(l)(2)(A), (B). Another requirement is for financial institutions to “consult[] lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.” 31 U.S.C. § 5318(l)(2)(C). 2 Federal Communications Commission FCC-CIRC2604-02 (CIP) that includes certain minimum requirements to meet KYC requirements.8 For example, in order to open an account, banks must collect a name, date of birth (for individuals), physical address, and identification number.9 Bank CIPs must contain procedures for verifying the information collected within a reasonable time after the account is opened.10 Banks can use documents, non-documentary methods, or a combination of both to accomplish this.11 Bank CIPs must also include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations maintained by the federal government.12 Banks must retain customer information for five years after the date the account is closed.13 B. Know-Your-Customer Rule for Originating Voice Service Providers 6. The Commission’s rules require an originating provider to “[t]ake affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.”14 The Commission has not mandated specific measures to comply with this rule, but rather stated that “[v]oice service providers can comply in a number of ways, so long as they know their customers and take measures that have the effect of actually restricting the ability of new and renewing customers to originate illegal traffic.”15 The Commission has “recommend[ed] that voice service providers exercise caution in granting access to high-volume origination services, to ensure that bad actors do not abuse such services”16 and noted that originating providers may need to “extensively investigate new customers seeking access to high-volume origination services.”17 7. Since adoption, the FCC has monitored compliance with its KYC requirement. In 2024, the Commission entered into a consent decree where Lingo Telecom, LLC agreed to implement enhanced KYC measures for its customers18 after the Commission found that Lingo “in a failure to utilize reasonable ‘Know Your Customer’ (KYC) protocols, applied incorrect STIR/SHAKEN attestations to spoofed robocalls” in apparent violation of section 64.6301(a).19 Specifically, Lingo agreed to obtain the 8 31 CFR § 1020.220(a)(1). 9 Id. § 1020.220(a)(2)(i)(A). For U.S. persons, an identification number is a taxpayer identification number. Non- U.S. persons must present one or more of the following: a taxpayer identification number; passport number and country of issuance; alien identification card number; or, number and country of issuance of any other government- issued document evidencing nationality or residence and bearing a photograph or similar safeguard. Id. § 1020.220(a)(2)(i)(A)(4)(i), (ii). Treasury has exempted the direct collection of taxpayer identification numbers for the opening of credit card accounts where the bank obtains identifying information about the customer from a third- party source prior to extending credit to the customer. See id. § 1020.220(a)(2)(i)(C). 10 31 CFR § 1020.220(a)(2)(ii). 11 Id. Non-documentary methods “may include contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.” Id. § 1020.220(a)(2)(ii)(B)(1). 12 Id. § 1020.220(a)(4). 13 Id. § 1020.220(a)(3)(ii). 14 47 CFR § 64.1200(n)(4). 15 Fourth Call Blocking Order, 35 FCC Rcd at 15233, para. 34. 16 Id. at 15232, para. 32. 17 Id. at 15233, para. 34. 18 Lingo Telecom, LLC, Order, 39 FCC Rcd 9304, 9316-17, Attach. 1 (Operating Procedures) (2024) (Lingo Consent Decree). 19 See Lingo Telecom, LLC, Notice of Apparent Liability, 39 FCC Rcd 6027, para. 1 (2024). 3 Federal Communications Commission FCC-CIRC2604-02 following information about its customers: legal business name and supporting records confirming the same; place of formation and supporting records confirming the same; proof of good standing in the place of formation not older than six months prior to the date of the latest order by the customer of a Lingo Telecom SIP Trunking Product; U.S. federal Employer Identification Number or Business Registration Number (if applicable); physical business address and supporting records confirming the same; active telephone number and supporting records confirming the same; type of goods or services offered (e.g., marketing, education, political consulting), and verification of commercial presence reflecting same (e.g., website, social media, store front); name of authorized individual acting on behalf of the customer.20 III. DISCUSSION 8. Criminals continue to leverage the anonymity provided by phone calls and texts to defraud Americans and exploit communications networks to further other crimes. To bring illegal callers out of the shadows, we seek comment on making our KYC rules more robust by specifying information originating providers must obtain from customers before they are granted access to its service to make calls, how they should verify that information, and how we can assess enforcement penalties that are proportionate to the harms that unwanted and illegal calls cause. Through this proceeding, the FCC aims to make it more difficult for scammers to originate illegal calls and to enforce against them when they do get onto the network. In addition, we aim to clarify and reduce the regulatory uncertainty of KYC compliance for originating providers. This proceeding complements our broader work attacking illegal calls at all points in their lifecycle, including access to numbers, blocking, and call branding.21 A. Obtaining Customer Identification Information 9. We seek comment on requiring originating providers to obtain certain identification information from both new and renewing customers. Specifically, we seek comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services. For high-volume customers, including business and foreign customers, we seek comment on requiring originating providers to also collect the intended use of the service (e.g., marketing, education, political campaign) and the customer’s IP address from which each call will be placed (if applicable). We believe that requiring originating providers to gather this basic identification information will have two benefits. First, it will deter some scammers from getting onto the network. Second, enforcers will be better able to identify the scammers when they do. Gathering such information is the standard to prevent money laundering, and given the misuse of networks by bad actors such as organized criminal groups, we believe it provides a good model for our work. 10. We seek comment on our views. Can enhanced KYC prevent misuses of U.S. communications networks and numbering resources? Would requiring the collection of this information help cut down on illegal calls? Is the information we describe above sufficient to enable originating providers to identify malicious actors before they originate illegal calls? Is any of this information not needed to verify the identity of new and renewing customers? What privacy concerns may arise from 20 Lingo Consent Decree 39 FCC Rcd at 9316-17, Attach. 1. 21 See, e.g., Advanced Methods to Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor; Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Dismissal of Outdated or Otherwise Moot Robocalls Petitions, WC Docket No. 17-97, CG Docket Nos. 25-307, 17-59, and 02-278, Ninth Further Notice of Proposed Rulemaking in CG Docket 17-59, Seventh Further Notice of Proposed Rulemaking in WC Docket No. 17-97, Further Notice of Proposed Rulemaking in CG Docket No. 02-278, Public Notice in CG Docket No. 25-307, FCC 25-76 (2025) (Call Branding FNPRM); Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Eighth Report and Order, FCC 25-15 (2025) (2025 Call Blocking Order); Combatting Illegal Robocalls Through FCC Numbering Policies; Implementation of TRACED Act Section 6(a) – Knowledge of Customers by Entities with Access to Numbering Resources; Numbering Policies for Modern Communications; Telephone Number Requirements for IP-Enabled Service Providers, WC Docket Nos. 26-49, 20- 67, 13-97, 07-243, Notice of Proposed Rulemaking, FCC 26-17 (2025). 4 Federal Communications Commission FCC-CIRC2604-02 such a collection of personally identifiable information (PII) and how can we mitigate them? Should we require more information, such as date of birth, like the Treasury CIP rule? Is such information useful in identifying malicious actors before they make illegal calls and locating them after they make illegal calls? Are there specific networking protocols or layers that we should seek targeted information about given that IP addresses can change, VPNs may be used and there are a variety of ways to tunnel and port IP- based traffic? How can we minimize burdens on consumers so they are not unduly hindered in gaining access to voice services? 11. How should we define “physical address” for these purposes? Should we exclude the use of virtual addresses, shared office locations without a dedicated suite or floor, P.O. boxes, mail forwarding services, and hosted servers because such addresses are inadequate to confirm the identity of a customer and often used by bad actors to conceal its identity? We also seek comment on whether foreign customers use domestic U.S. providers to originate large volumes of calls. Are there ways in which we can address any KYC issues relating to foreign-based callers? 12. We seek comment on how we should define “new” and “renewing” customers for these purposes. Should new customers be only those new to the originating provider? Or are those switching to different plans offered by the current provider considered “new” for purposes of the KYC requirement? Should “renewing” customers be only those who are merely continuing an existing plan for a new contract period? Should contracts that contain automatic renewal clauses be considered a renewal in this context? How often do customers renew contracts for voice services? If infrequently, should we consider as an alternative to renewing customers requiring re-verification of existing customer identity information on a periodic basis such as after a specified number of years? 13. Risk-Based Differences. Should we require originating providers to collect more information about customers that are more likely to make illegal calls, e.g., those subscribing to high volume services or those that may be difficult to locate based on being foreign-based, or other factors? If so, what additional information should we require originating providers to collect from higher-risk customers? For example, the Lingo Consent Decree required the collection of an Employer Identification Number (EIN) or Business Registration Number for business accounts.22 Should we impose similar requirements for all new and renewing high-volume customers? To what extent would this assist in confirming the identity of the high-volume customers seeking to obtain access to the network? Is the distinction between a “high volume” and “low volume” customer sufficiently clear for KYC purposes or are there industry standards that should guide any such distinction, e.g., “high volume” being more than an individual caller or small business would typically make? Should all business customers accounts be subject to the same KYC requirements regardless of their call volume? Should we require originating providers to collect more information from customers that utilize lead generators or dialing platforms that may lack strong KYC requirements? Should we require originating providers to consult lists of terrorists and terrorist organizations and criminal persons maintained by law enforcement entities? 14. Differences Based on Prepaid and Postpaid Service. We seek comment on whether customer information requirements should vary depending upon whether the customer is seeking a prepaid or postpaid service plan. Are there differences in current industry KYC information collections based upon whether the customer is seeking prepaid or postpaid plans or whether the customer purchases a prepaid plan at a retail store or online? Are there KYC measures we can impose for prepaid service purchased through third-party vendors such as prepaid SIM cards? What, if any, customer information do wireless providers obtain from customers who purchase prepaid SIM cards? What percentage of prepaid plans are purchased in person at retail stores? What steps do providers currently take to validate KYC for prepaid services purchased at third-party retailers? Do prepaid customers have the same ability to make high volumes of illegal calls as postpaid customers, or are there inherent limitations on prepaid plans? To what extent are bad actors using prepaid service to make illegal calls? Are current KYC standards associated with prepaid services being exploited by criminals committing other types of crime, such as 22 See Lingo Consent Decree, 39 FCC Rcd at 9316, Attach. 1. 5 Federal Communications Commission FCC-CIRC2604-02 human trafficking? 15. For example, fraudulent Short Messaging Service (SMS) text messages can originate from Subscriber Identity Module (SIM) boxes.23 What steps have Mobile Network Operators (MNO) and Mobile Virtual Network Operators (MVNO) taken to address bulk purchases of SIM cards or bulk account activation? Have these measures proven effective at reducing the number of illegal calls being made using SIM boxes? If not, are there ways we should address this issue in the KYC framework that would not otherwise hinder access to affordable phone service to millions of Americans? 16. How do the KYC requirements discussed herein compare to existing industry practices and guidelines designed to satisfy the KYC requirement? To the extent these requirements create new burdens on originating providers, how can we minimize those burdens, including those on smaller originating providers such as non-nationwide service providers, while still promoting the objective to identify customers that pose the greatest risks to make illegal calls and to locate them if they do make such calls? For example, companies in the financial services industry need not directly collect KYC information in certain circumstances when they can obtain it from alternative sources such as credit reports.24 Should we adopt a similar exemption in this context? If so, which alternative sources should qualify for this exemption? We also seek comment on whether such KYC requirements would provide sufficient flexibility to account for different services and customers with varying risk profiles in a manner that allows providers to continue to adapt to the evolving tactics used by bad actors to gain access to voice services.25 17. We also seek comment on how we can ensure any new KYC requirements complement any Call Branding or Caller Name requirements we may adopt.26 For example, how can we ensure we do not duplicate burdens on originating providers? Is there a direct connection between the customer identity information originating providers would gather if we adopt enhanced KYC requirements and the caller identity information terminating providers would deliver to handsets? Are there other considerations raised in the Call Branding FNPRM proceeding that should be coordinated with any enhanced KYC requirements to better promote the objectives of both proceedings? We seek comment on these and any other issues relevant to this matter. B. Verifying and Retaining Customer Information 18. An effective KYC regime must confirm the accuracy of the information customers provide. We seek comment on requiring originating providers to take specific measures to verify, re- verify, and retain collected customer identification information. Bad actors may submit fake or stolen information to conceal their identity to gain access to the network and avoid accountability for making illegal calls. Originating providers that conduct a thorough verification of their customers’ information can discover the use of such fake information before allowing bad actors to originate calls and stop illegal calls before they occur. By better knowing their customers, providers can also help facilitate the Commission and other law enforcement agency efforts to locate such callers by ensuring that the information provided is accurate. Verification measures also ensure originating providers’ compliance with the obligation to exercise due diligence to ensure that its network is not used to originate illegal 23 See, e.g., U.S. Secret Service, U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area (Sept. 23, 2025) U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area | United States Secret Service (last visited Mar. 15, 2026); Aafiya Saba, Best Prepaid SIM Cards for Non-Residents & Visitors to the USA (2025 Guide) (June 23, 2025) Best Prepaid SIM Card for USA Visitors & Non-Residents | Lyca Mobile 2025 (noting with respect to “ID Verification” that “[s]ome carriers require minimal identification, but Lyca Mobile simplifies this process for travelers”) (last visited Mar. 15, 2026). 24 See 31 CFR § 1020.220(a)(2)(i)(C). 25 See, e.g., Letter from Glen S. Richards, Counsel to the Voice on the Net Coalition, to Marlene H. Dortch, Secretary, FCC, CG Docket No. 17-59, at 1 (dated Mar. 31, 2026) (VON ex parte). 26 See Call Branding FNPRM. 6 Federal Communications Commission FCC-CIRC2604-02 traffic.27 Periodic review or ongoing re-verification of KYC information is essential to ensure that bad actors have not gained access to the network and to enable the Commission to hold them accountable. 19. Verification. We seek comment on requiring originating providers to obtain supporting records to verify the customer’s identity, such as copies of government-issued identification. For customers seeking access to services that enable origination of high volumes of calls (e.g., a number of calls above what an individual caller would make using a personal account), we seek comment on requiring verification of customer information using supporting records such as corporate formation records, proof of good standing such as a state-issued certification, confirmation that the telephone number provided is the customer’s current active telephone number, third-party records of a customer’s physical address, and verification of commercial presence (e.g., website, social media, store front) when applicable before being granted access to the network.28 We anticipate that most high-volume callers will be businesses or similar entities that have such supporting records. To the extent, however, that they are individuals seeking access to high-volume service, what additional verification measures should we require? 20. Is this list comprehensive? Should we require more or fewer verification measures; should any additional steps vary depending on whether the customer is deemed higher or lower risk? And should we require that originating providers complete all steps successfully before allowing the customer to use its network? If the customer is renewing, what period of time should the provider have to complete its verification before suspending access to the network? What existing tools and practices do providers use to verify customer information? Are there commercially available resources that originating providers can use to accurately verify the identity and location of a customer? If so, should we find use of these resources sufficient to satisfy any enhanced KYC verification requirement? Are there other industries and/or other countries with successful KYC verification requirements? If so, are their models applicable to U.S. communications services? What privacy issues related to the collection and retention of such information should we consider? 21. We believe that there are red flags that should raise concerns for closer verification such as providing a registered agent or virtual office as a physical address; registering a corporate address using a residential address or random commercial location that is unaffiliated with the customer; lacking a commercial presence or operating a suspicious website (e.g., a newly created website); using a suspicious email address (e.g., a recently created email address, template website with little information unique to the company); not being registered in the state in which it purports to be located or incorporated; or paying for service in non-traceable ways such as the use of cryptocurrency. We tentatively conclude that these red flags should alert an originating provider as to a customer’s potential intention to use its service to make illegal calls and seek comment on this conclusion. Are there additional red flags that raise concerns with a customer’s access to the network that should result in originating providers exercising more stringent verification measures? 22. Risk-Based Re-verification. Should we require originating providers to re-verify KYC customer information in response to changes in traffic patterns or other red flags that may suggest illegal calls? If so, what types of changes in traffic patterns? We expect that originating providers will monitor traffic on their networks to determine if there are customer information inconsistencies such as a domestic U.S. company transmitting traffic from a foreign-based IP address or dormant accounts suddenly reappearing and sending large volumes of calls. In such instances, we seek comment on whether re- verification methods should include contacting the customer directly; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with financial institutions; or obtaining a financial statement. We seek comment on what resources, databases, 27 47 CFR § 64.1200(n)(4). 28 We have provided similar guidance in recent enforcement actions. See, e.g., Lingo Consent Decree, 39 FCC Rcd at 9316. 7 Federal Communications Commission FCC-CIRC2604-02 or third-party tools originating providers could use to verify customer identity. Are there privacy, cost, or operational concerns that we should consider when determining which verification resources are appropriate? 23. Alternatively, should we require originating providers to periodically re-verify customer information on an ongoing basis, such as annually? How would the compliance burdens of this approach compare to a re-verification process triggered only by a red flag or unusual activity on the customer’s account? Should any re-verification requirements be identical to the original verification measures when initiating service or, in the absence of any reasonable basis for concern or red flags, be less stringent? We seek comment on the current practices and guidelines that originating providers take in this context including how often and under what circumstances they re-verify customer information to ensure that it remains accurate and what actions they take to ensure that their services are not being used to originate illegal traffic. 24. Retention. We seek comment on requiring originating providers to retain KYC information and supporting records for the entirety of any potential statute of limitation period relating to misuse of their services to make illegal calls. In the case of spoofing or intentional violations of section 227(b) of the Communications Act, that statute of limitations period is four years.29 As a result, originating providers would be required to retain KYC customer information and supporting records for four years following termination of the customer relationship and we seek comment on this approach. We seek comment on industry customer information retention periods including whether this approach imposes any new burdens on smaller providers by differing from those practices. What steps does the industry take to protect such information from unauthorized access, and would those steps offer enough protection to an expanded collection and retention of PII or would heightened security be necessary? Should we consider an alternative retention timeframe?30 C. Enforcement 25. We propose to codify a base forfeiture amount for violations of section 64.1200(n)(4) on a per call basis to best correlate penalties to the volume of illegal calls made, and thus the harm caused by any one caller. Specifically, we propose to codify a $2,500 per call base forfeiture amount. Alternative approaches, such as assessing fines on a “per customer” basis, would result in a single base forfeiture regardless of the number of illegal calls made by the customer. The Commission has confirmed that the responsibility imposed by section 64.1200(n)(4) for originating providers to know their customers is a critical aspect of protecting Americans from illegal and harmful calls.31 We believe that our proposed approach would better encourage compliance with the rule. We seek comment on this and any other issues relevant to this proposal including whether and how to expedite the provision of customer information to the Commission or law enforcement upon any notification to the originating provider that one of its customers is under investigation for using the provider’s network to make illegal calls. 26. We seek comment on whether the Commission should, as an alternative to adopting specific KYC requirements, issue baseline KYC guidance or expectations that act as a regulatory safe harbor.32 Specifically, should we deem compliance with baseline KYC expectations a safe harbor from any enforcement action against the originating provider? Would such a safe harbor approach sufficiently incent better KYC practices while giving originating providers flexibility to develop innovative KYC protections and react to evolving tactics used by bad actors to gain access to voice networks? Does such an approach promote innovation and competition among originating providers leading to better KYC compliance and fraud prevention across the ecosystem of voice calling customers? 29 See 47 U.S.C. §§ 227(b)(4)(E)(ii), (e)(5)(A)(iv). 30 For example, the KYC retention period in the financial services industry is five years. 31 CFR § 1020.220(a)(3). 31 See Fourth Call Blocking Order, 35 FCC Rcd at 15232-33, para. 33. 32 See, e.g., VON ex parte at 1-2. 8 Federal Communications Commission FCC-CIRC2604-02 27. We seek comment on other enforcement measures we should consider to deter illegal calls. For example, are our existing rules sufficient to ensure that originating providers provide assurance of their compliance with KYC rules?33 If not, should we require a specific certification regarding KYC compliance as part of the Robocall Mitigation Database (RMD) filings? It might also include requiring originating providers to obtain independent verification of their compliance, e.g., via an independent auditor using generally accepted standards for providing such assurance. Should we consider broadening our downstream provider blocking requirements so that any provider downstream of an originating provider that fails to comply with our KYC requirements must block that originating provider’s traffic? Would that be technically feasible, e.g., can all downstream providers (not just the immediate downstream provider) identify the originating provider? D. Deterring Other Criminal Use of the Network 28. We seek comment on whether enhanced KYC requirements can prevent or deter criminal use of communication networks that do not involve illegal calls. For example, can enhanced KYC rules assist law enforcement in investigating organized criminal groups that use the network to facilitate illegal activities? Can they be used to deter or detect trafficking operations that use communication networks to buy and sell illicit goods? Would enhanced KYC measures for originating providers also address abuse in text messaging networks? Would such rules assist law enforcement in the investigation of fraud, espionage, or influence operations that undermine national security? Are there enhancements we could make that would better assist law enforcement investigations? E. Implementation 29. We seek comment on whether to make any rules we adopt pursuant to this Notice applicable primarily only to new and renewing customers that originating providers acquire after the effective date of any new rules and to any customers that renew service with such providers after the effective date.34 We also seek comment on whether any new KYC rules should take effect six months after OMB approval of any applicable Paperwork Reduction Act requirements. 30. We seek comment on whether we should adopt a different implementation timeline for KYC requirements that would apply to existing customers that use high-volume services if we were to adopt heightened KYC requirements for such customers seeking to obtain such services. Or should existing customers that use high-volume services have to undergo heightened KYC measures only at service renewal? How should we define renewal for this purpose? 31. We seek comment on these issues and whether they best balance the need for enhanced KYC requirements with the legitimate business requirements of providers, particularly small and rural providers. F. Legal Authority 32. Consistent with our approach in the Fourth Call Blocking Order, we believe sections 201(b), 227(e), and 251(e) of the Communications Act of 1934, as amended, give us authority to implement affirmative measures requiring originating providers to know their customers and exercise due diligence in ensuring that their services are not used to originate illegal calls.35 Section 201(b) grants us 33 See 47 CFR § 6305(d)(2)(ii) which requires providers to describe in their robocall mitigation plans how they comply with their obligation to know their customers and the analytics systems they use to identify and block illegal traffic. 34 We have sought comment on whether originating providers should re-verify customer information in response to changes in traffic patterns or other red flags that may suggest the use of it network to make illegal calls. If the record developed in response to this Notice supports such re-verification, it could extend KYC re-verification to existing customers in that limited context. 35 47 U.S.C. §§ 154(i), 201(b), 227(e), 251(e); Truth in Caller ID Act of 2009, Pub. L. No. 111-331, 124 Stat. 3572 (2010) (Truth in Caller ID Act). 9 Federal Communications Commission FCC-CIRC2604-02 broad authority to adopt rules governing just and reasonable practices of common carriers.36 Our section 251(e) numbering authority provides separate authority to prevent the fraudulent abuse of North American Numbering Plan (NANP) resources; this particularly applies where callers spoof caller ID for fraudulent purposes and therefore exploit numbering resources, regardless of whether the originating voice service provider that places the calls onto the U.S. network is a common carrier.37 33. Similarly, the Truth in Caller ID Act grants us authority to prescribe rules to make unlawful the spoofing of caller ID information with the intent to defraud, cause harm, or wrongfully obtain something of value.38 Taken together, section 251(e) and the Truth in Caller ID Act grant us authority to prescribe rules to prevent the unlawful spoofing of caller ID and abuse of NANP resources by callers, and the proposed amendments to our existing KYC requirements would take a further positive step toward stopping such illegal calling. Consistent with our existing section 64.1200(n)(4) rule, we find that it is essential that any rules apply to all originating providers including VoIP providers.39 Absent broad application, VoIP would remain a potential safe haven for malicious actors to make illegal calls to consumers. We seek comment on these views. 34. National Security. We believe that the Commission’s national security authority is another basis for the possible rules we discuss above. Illegal calls are more than an annoyance – bad actors can use them for denial-of-service attacks and also surveil and target government officials and sensitive infrastructure.40 We thus believe protecting networks with enhanced KYC requirements advances our responsibility to “make available, so far as possible, . . . a rapid, efficient, Nation-wide and world-wide wire and radio communication service . . . for the purpose of the national defense.”41 With respect to international telecommunications services, do we have authority under Section 303(r) to adopt rules implementing the General Agreement on Trade in Services (GATS), which allows members, subject to certain conditions, to enforce measures necessary to secure compliance with laws or regulations relating to “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts” and “the prevention of deceptive and fraudulent practices”?42 35. We seek comment on these possible bases of authority along with any others, including how our rights under other trade agreements, including free trade agreements, might serve as authority for any changes to our KYC requirements as discussed above.43 36 47 U.S.C. § 201(b). 37 47 U.S.C. § 251(e)(1). 38 47 U.S.C. § 227(e)(1), (3)(A). 39 See Fourth Call Blocking Order, 35 FCC Rcd at 15233-34, para. 37 (citing 47 U.S.C. § 154(i)). 40 See, e.g., Implementation of the Middle Class Tax Relief and Job Creation Act of 2012 Establishment of Public Safety Answering Point Do-Not-Call Registry Enhancing Security of Public Safety Answering Point Communications, CG Docket No. 12-129, PS Docket No. 21-343, Further Notice of Proposed Rulemaking, 36 FCC Rcd 15103, 15106, para. 9 (2021) (noting the risk of denial of service attacks to overwhelm the nation’s emergency call system). 41 47 U.S.C. § 151. 42 47 U.S.C. § 303(r); GATS: General Agreement on Trade in Services art. XIV, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1B, 1869 U.N.T.S. 183, 33 I.L.M. 1167. 43 See, e.g., World Trade Organization, Services: Sector by Sector Telecommunication services, https://www.wto.org/english/tratop_e/serv_e/telecom_e/telecom_e.htm (last visited Jan. 26, 2026); Office of the United States Trade Representative, Free Trade Agreements, https://ustr.gov/trade-agreements/free-trade- agreements (last visited Jan. 26, 2026). 10 Federal Communications Commission FCC-CIRC2604-02 G. Costs and Benefits 36. The Commission receives more complaints about illegal calls than any other issue.44 Illegal calls can annoy, defraud, and erode confidence in the telecommunications network while costing consumers billions of dollars in fraud and wasted time.45 As noted above, the most effective way to prevent illegal calls from reaching American consumers is by ensuring they never enter the network. Originating providers are best positioned to stop illegal calls before they enter the network by screening new or renewing customers. When an originating provider fails to meet its obligations to properly scrutinize its customers before they commence using the provider’s services to originate calls, it creates a risk that malicious actors will gain access to those services to make illegal calls and opens the door for foreign actors to exploit U.S. networks for fraud, espionage, or influence operations that undermine national security. In addition, a lack of accurate and complete customer information hinders the Commission’s ability to identify and locate parties responsible for making illegal calls. 37. In the Fourth Call Blocking Order, the Commission required all originating providers to implement KYC obligations and exercise due diligence to ensure their services are not used to originate unlawful and illegal calls.46 In this Notice, we seek comment on specific actions that originating providers might take to comply with the existing KYC requirements. We anticipate that many originating providers already take KYC compliance measures and therefore tentatively conclude that any incremental compliance costs will be minimal. We expect that any changes to the rules will eliminate confusion and provide clear guidance to originating providers where ambiguity exists. As a result, any rule changes are likely to reduce regulatory uncertainty. We seek comment on the costs and benefits of changes to our rules, including the specific economic impact on small business entities and ways to minimize those impacts. 38. We believe that any potential rule changes discussed above will help consumers avoid illegal calls including scams, fraud, and otherwise unlawful calls and better protect U.S. telecommunications networks from foreign actors. In addition, we propose to codify the forfeiture amount for KYC violations on a per call basis, which we believe will create incentives for compliance and further reduce the origination of unlawful and illegal calls. We seek comment on whether there are additional costs and burdens on originating providers that we have not identified including ways to minimize burdens for smaller voice service providers. IV. PROCEDURAL MATTERS A. Initial Regulatory Flexibility Act Analysis 39. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA),47 requires that an agency prepare a regulatory flexibility analysis for notice-and-comment rulemaking proceedings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.”48 Accordingly, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA), concerning potential rule and policy changes contained in this Further Notice of Proposed Rulemaking. The IRFA is set forth in Appendix B. The Commission invites the general public, in particular small businesses, to comment on the IRFA. Comments must be 44 See, e.g., FCC Consumer Complaint Data Center, CGB - Unwanted Calls Current YTD | Data | Federal Communications Commission. 45 See Call Authentication Trust Anchor NPRM, 40 FCC Rcd at 3467-68, para. 1 (noting that victims of calling scams are defrauded of an estimated $850 million annually with added costs for wasted time and nuisance increasing costs into the billions). 46 Fourth Call Blocking Order, 35 FCC Rcd at 15232, para. 32. 47 5 U.S.C. §§ 601 et seq., as amended by the Small Business Regulatory Enforcement and Fairness Act (SBREFA), Pub. L. No. 104-121, 110 Stat. 847 (1996). 48 Id. § 605(b). 11 Federal Communications Commission FCC-CIRC2604-02 filed by the deadlines for comments on the Further Notice of Proposed Rulemaking indicated on the first page of this document, and must also have a separate and distinct heading designating them as responses to the IRFA. B. Initial Paperwork Reduction Act Analysis 40. This Notice may contain proposed new or modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on these information collection requirements, as required by the Paperwork Reduction Act of 1995, 44 U.S.C. §§ 3501-3521. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, 44 U.S.C. § 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. C. Filing Requirements—Comments and Replies 41. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS).49 • Electronic Filers: Comments may be filed electronically using the Internet by accessing the ECFS: https://www.fcc.gov/ecfs. • Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. o Filings can be sent by hand or messenger delivery, by commercial courier, or by the U.S. Postal Service. All filings must be addressed to the Secretary, Federal Communications Commission. o Hand-delivered or messenger-delivered paper filings for the Commission’s Secretary are accepted between 8:00 a.m. and 4:00 p.m. by the FCC’s mailing contractor at 9050 Junction Drive, Annapolis Junction, MD 20701. All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of before entering the building. o Commercial courier deliveries (any deliveries not by the U.S. Postal Service) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. o Filings sent by U.S. Postal Service First-Class Mail, Priority Mail, and Priority Mail Express must be sent to 45 L Street NE, Washington, DC 20554. • People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer and Governmental Affairs Bureau at (202) 418-0530. D. Ex Parte Rules 42. The proceeding this Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules.50 Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte 49 See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). 50 47 CFR § 1.1206. 12 Federal Communications Commission FCC-CIRC2604-02 presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda, or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). Written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must, when feasible, be filed through the electronic comment filing system in the docket established for this proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules E. Providing Accountability Through Transparency Act 43. Consistent with the Providing Accountability Through Transparency Act, Public Law 118-9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.51 F. Additional Information 44. For further information about this Notice, contact Richard D. Smith, Consumer Policy Division, Consumer and Governmental Affairs Bureau, at Richard.Smith@fcc.gov. V. ORDERING CLAUSES 45. Accordingly, IT IS ORDERED, pursuant to sections 1-4, 201(b), 227(e), and 251(e) of the Communications Act of 1934, as amended, 47 U.S.C §§ 151-154, 201(b), 227(e), 251(e), and sections 1.411-1.413, and 1.421 of the Commission’s rules, 47 CFR §§ 1.411-1.413, 1.421, that this Further Notice of Proposed Rulemaking IS ADOPTED.52 46. IT IS FURTHER ORDERED, pursuant to sections 1.415 and 1.419 of the Commission’s Rules, 47 CFR §§ 1.415, 1.419, that interested parties may file comments on this Further Notice of Proposed Rulemaking on or before 30 days after publication in the Federal Register, and reply comments on or before 60 days after publication in the Federal Register. Comments and reply comments SHALL BE FILED in CG Docket No. 17-59 and CG Docket No. 02-278. 47. IT IS FURTHER ORDERED that the Commission’s Office of Secretary SHALL SEND a copy of this Further Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for the Small Business Administration (SBA) Office of Advocacy. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 51 5 U.S.C. § 553(b)(4). The Providing Accountability Through Transparency Act of 2023, Pub. L. No. 118-9 (2023), amended the Administrative Procedure Act to add a requirement to publish a short summary, in plain language, of each notice of proposed rulemaking. 52 Pursuant to Executive Order 14215, 90 Fed. Reg. 10447 (Feb. 24, 2025), this regulatory action has been determined to be not significant under Executive Order 12866, 58 Fed. Reg. 51735 (Oct. 4, 1993). 13 Federal Communications Commission FCC-CIRC2604-02 APPENDIX A Proposed Rules For the reasons discussed in the document, the Federal Communications Commission proposes to amend 47 CFR part 1 as follows: PART 1 – Practice and Procedure 1. The authority citation for part 1 continues to read as follows: Authority: 47 U.S.C. chs. 2, 5, 9, 13; 28 U.S.C. 2461 note; 47 U.S.C. 1754, unless otherwise noted. 2. Amend § 1.80(b)(11) to read as follows. (11) *** TABLE 1 TO PARAGRAPH (b)(11)-BASE AMOUNTS FOR SECTION 503 FORFEITURES Violation Forfeitures amount Misrepresentation/lack of candor (1) Failure to file required DODC required forms, and/or filing materially inaccurate or $15,000 incomplete DODC information Construction and/or operation without an instrument of authorization for the service 10,000 Failure to comply with prescribed lighting and/or marking 10,000 Violation of public file rules 10,000 Violation of political rules: Reasonable access, lowest unit charge, equal opportunity, and 9,000 discrimination Unauthorized substantial transfer of control 8,000 Violation of children's television commercialization or programming requirements 8,000 Violations of rules relating to distress and safety frequencies 8,000 False distress communications 8,000 EAS equipment not installed or operational 8,000 Alien ownership violation 8,000 Failure to permit inspection 7,000 Transmission of indecent/obscene materials 7,000 Interference 7,000 Importation or marketing of unauthorized equipment 7,000 Exceeding of authorized antenna height 5,000 14 Federal Communications Commission FCC-CIRC2604-02 Fraud by wire, radio or television 5,000 Unauthorized discontinuance of service 5,000 Use of unauthorized equipment 5,000 Exceeding power limits 4,000 Failure to Respond to Commission communications 4,000 Violation of sponsorship ID requirements 4,000 Unauthorized emissions 4,000 Using unauthorized frequency 4,000 Failure to engage in required frequency coordination 4,000 Construction or operation at unauthorized location 4,000 Violation of requirements pertaining to broadcasting of lotteries or contests 4,000 Violation of transmitter control and metering requirements 3,000 Failure to file required forms or information 3,000 Per call violations of the robocall blocking rules 2,500 Per call Know Your Customer violations 2,500 Failure to make required measurements or conduct required monitoring 2,000 Failure to provide station ID 1,000 Unauthorized pro forma transfer of control 1,000 Failure to maintain required records 1,000 * * * * * 15 Federal Communications Commission FCC-CIRC2604-02 APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),1 the Federal Communications Commission (Commission) has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the policies and rules proposed in the Further Notice of Proposed Rulemaking (Notice) assessing the possible significant economic impact on a substantial number of small entities. The Commission requests written public comments on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments specified on the first page of the Notice. The Commission will send a copy of the Notice including this IRFA, to the Chief Counsel for the SBA Office of Advocacy.2 In addition, the Notice and IRFA (or summaries thereof) will be published in the Federal Register.3 A. Need for, and Objectives of, the Proposed Rules 2. The Commission has prioritized combatting illegal calls as a top consumer protection. The Commission’s goal is to stop illegal calls before they enter the network, thus requiring originating providers to block them, which would give consumers more information and ability to decide which calls they wish to receive. The Commission initiates this proceeding to further enhance its existing “Know- Your-Customer” (KYC) requirements to mandate better compliance and enforcement of the rule. The Commission seeks comment on specific actions originating providers must take to guard against the origination of illegal calls. In this Notice, the Commission notes that it receives more complaints about unwanted calls than any other issue.4 Unwanted and often illegal calls can annoy and defraud the consumer as well as lead to eroding confidence in the telecommunications network while costing consumers billions of dollars in fraud, wasted time, and nuisance.5 3. The most effective way to prevent illegal calls from reaching American consumers is by ensuring that those calls never originate on or enter the U.S. network. The Commission seeks comment on ways to keep bad actors from gaining access to the network. The Commission believes that originating providers are best positioned to stop illegal calls before they enter the network by screening new or renewing customers. When an originating provider fails to meet its obligations to properly scrutinize its customers before they commence using the provider’s services to originate calls, it creates a risk that malicious actors will gain access to those services to make illegal calls and opens the door for foreign actors to exploit U.S. networks for fraud, espionage, or influence operations that undermine national security. In addition, the Commission’s ability to identify and locate the parties that are responsible for making illegal calls is hindered when accurate and complete customer information is unavailable from the voice service provider. 4. In this Notice, we: (1) seek comment on specific customer identification requirements for new and renewing customers; (2) seek comment on requirements for originating providers to verify, retain, and periodically re-verify customer information; (3) seek comment on whether any enhanced KYC requirements should include risk-based security controls to require higher levels of scrutiny for certain customers including foreign customers and high-volume customers based on the risks posed to make illegal calls; and (4) propose that the Commission will assess penalties for violations of the KYC rule on a 1 5 U.S.C. §§ 601 et seq., as amended by the Small Business Regulatory Enforcement and Fairness Act (SBREFA), Pub. L. No. 104-121, 110 Stat. 847 (1996). 2 Id. § 603(a). 3 Id. 4 See, e.g., FCC Consumer Complaint Data Center, CGB - Unwanted Calls Current YTD | Data | Federal Communications Commission. 5 See Fourth Call Blocking Order, 35 FCC Rcd at 15222, para. 3. 16 Federal Communications Commission FCC-CIRC2604-02 per call basis. B. Legal Basis 5. The proposed action is authorized pursuant to sections 1-4, 201(b), 227(e), and 251(e) of the Communications Act of 1934, as amended, and 47 U.S.C. §§ 151-154, 201(b), 227(e), and 251(e). C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 6. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules, if adopted.6 The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.”7 In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act (SBA).8 A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.9 The SBA establishes small business size standards that agencies are required to use when promulgating regulations relating to small businesses; agencies may establish alternative size standards for use in such programs, but must consult and obtain approval from SBA before doing so.10 7. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe three broad groups of small entities that could be directly affected by our actions.11 In general, a small business is an independent business having fewer than 500 employees.12 These types of small businesses represent 99.9% of all businesses in the United States, which translates to 34.75 million businesses.13 Next, “small organizations” are not-for-profit enterprises that are independently owned and operated and not dominant their field.14 While we do not have data regarding the number of non-profits that meet that criteria, over 99 percent of nonprofits have fewer than 500 employees.15 Finally, “small governmental jurisdictions” are defined as cities, counties, towns, townships, villages, school districts, or special districts with populations of less than fifty thousand.16 Based on the 2022 U.S. 6 5 U.S.C. § 603(b)(3). 7 Id. § 601(6). 8 Id. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” 9 15 U.S.C. § 632. 10 13 CFR 121.903. 11 5 U.S.C. § 601(3)-(6). 12 See SBA, Office of Advocacy, Frequently Asked Questions About Small Business (July 23, 2024), https://advocacy.sba.gov/wp-content/uploads/2024/12/Frequently-Asked-Questions-About-Small-Business_2024- 508.pdf. 13 Id. 14 5 U.S.C. § 601(4). 15 See SBA, Office of Advocacy, Small Business Facts, Spotlight on Nonprofits (July 2019), https://advocacy.sba.gov/2019/07/25/small-business-facts-spotlight-on-nonprofits. 16 5 U.S.C. § 601(5). 17 Federal Communications Commission FCC-CIRC2604-02 Census of Governments data, we estimate that at least 48,724 out of 90,835 local government jurisdictions have a population of less than 50,000.17 8. The rules proposed in the Notice will apply to small entities in the industries identified in the chart below by their six-digit North American Industry Classification System (NAICS)18 codes and corresponding SBA size standard.19 Based on currently available U.S. Census data regarding the estimated number of small firms in each identified industry, we conclude that the proposed rules will impact a substantial number of small entities. Where available, we also provide additional information regarding the number of potentially affected entities in the above identified industries. Table 1. 2022 Census Bureau Data by NAICS Code Regulated Industry (Footnotes specify potentially affected NAICS SBA Size Total Total Small % Small entities within a regulated Code Standard Firms20 Firms21 Firms industry where applicable) Wired Telecommunications 1,500 Carriers22 517111 employees 3,403 3,027 88.95% Wireless Telecommunications 1,500 Carriers (except Satellite)23 517112 employees 1,184 1,081 91.30% 17 See U.S. Census Bureau, 2022 Census of Governments –Organization, https://www.census.gov/data/tables/2022/econ/gus/2022-governments.html, tables 1-11. 18 The North American Industry Classification System (NAICS) is the standard used by Federal statistical agencies in classifying business establishments for the purpose of collecting, analyzing, and publishing statistical data related to the U.S. business economy. See www.census.gov/NAICS for further details regarding the NAICS codes identified in this chart. 19 The size standards in this chart are set forth in 13 CFR 121.201, by six digit North American Industrial Classification System (NAICS) code. 20 U.S. Census Bureau, "Selected Sectors: Employment Size of Firms for the U.S.: 2022." Economic Census, ECN Core Statistics Economic Census: Establishment and Firm Size Statistics for the U.S., Table EC2200SIZEEMPFIRM, 2025, “Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2022." Economic Census, ECN Core Statistics Economic Census: Establishment and Firm Size Statistics for the U.S., Table EC2200SIZEREVFIRM, 2025. 21 Id. 22 Affected Entities in this industry include Competitive Local Exchange Carriers (CLECs), , Incumbent Local Exchange Carriers (Incumbent LECs), Local Exchange Carriers (LECs). 23 Affected Entities in this industry include Wireless Carriers and Service Providers, Wireless Communications Services, Wireless Telephony. 18 Federal Communications Commission FCC-CIRC2604-02 Table 2. Telecommunications Service Provider Data 2024 Universal Service Monitoring Report SBA Size Standard Telecommunications Service (1500 Employees) Provider Data 24 (Data as of December 2023) Total # FCC Small % Small Affected Entity Form 499A Firms Entities Filers Competitive Local Exchange 3,729 3,576 95.90 Carriers (CLECs)25 Incumbent Local Exchange 1,175 917 78.04 Carriers (Incumbent LECs) Local Exchange Carriers (LECs)26 4,904 4,493 91.62 Wired Telecommunications 4,682 4,276 91.33 Carriers27 Wireless Telecommunications 585 498 85.13 Carriers (except Satellite)28 Wireless Telephony29 326 247 75.77 D. Description of Economic Impact and Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 9. The RFA directs agencies to describe the economic impact of proposed rules on small entities, as well as projected reporting, recordkeeping and other compliance requirements, including an estimate of the classes of small entities which will be subject to the requirements and the type of professional skills necessary for preparation of the report or record.30 10. The Commission seeks comment on specific actions originating providers should take to guard against unwanted and illegal calls. The Notice seeks comment on establishing new information collection, reporting, recordkeeping, or compliance requirements for small entities. Specifically, it seeks comment on requiring originating providers to obtain specific customer identification information from new and renewing customers. This may require originating providers to enhance their current practices for obtaining such customer information before granting access to their services. 11. The Notice also seeks comment on specific requirements for originating providers to verify, retain, and re-verify customer information. This may require affected small entities to establish or 24 Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2024), https://docs.fcc.gov/public/attachments/DOC-408848A1.pdf. 25 Affected Entities in this industry include all reporting local competitive service providers. 26 Affected Entities in this industry include all reporting fixed local service providers (CLECs & ILECs). 27 Local Resellers fall into another U.S. Census Bureau industry (Telecommunications Resellers) and therefore data for these providers is not included in this industry. 28 Affected Entities in this industry include all reporting wireless carriers and service providers. 29 Affected Entities in this industry include Cellular/PCS/SMR - Specialized Mobile Radio Licensees and SMR (Dispatch). 30 5 U.S.C. § 603(b)(4). 19 Federal Communications Commission FCC-CIRC2604-02 enhance existing verification procedures, maintain records of verification activities, and implement systems to ensure customer identification information is secure, accurate, and complete. 12. The Notice also seeks comment on whether KYC requirements should include risk-based security controls depending on an assessment of the risk that the customer poses to make large numbers of illegal calls. For example, greater levels of review for foreign and high-volume customers than for low-volume customers. To comply with this requirement, affected small entities may need to establish verification procedures when a customer indicates an intent to make a high volume of calls or is located in a country other than the United States. 13. Finally, the Commission invites comment on the costs and burdens of enhanced KYC requirements on small entity voice service providers. The Commission expects that information received in comments, including cost and benefit analyses where requested, will help the Commission identify and evaluate relevant compliance matters for small entities that may result if the proposals and associated requirements discussed in the Notice are ultimately adopted. E. Discussion of Significant Alternatives Considered That Minimize the Significant Economic Impact on Small Entities 14. The RFA directs agencies to provide a description of any significant alternatives to the proposed rules that would accomplish the stated objectives of applicable statutes, and minimize any significant economic impact on small entities.31 The discussion is required to include alternatives such as: “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.”32 15. In the Notice, the Commission seeks comment on several approaches that may minimize impacts on small entities. For example, we seek comment on whether originating providers should be exempted from acquiring direct KYC information when such information can be obtained from credible alternative sources such as a credit report. We also seek comment on current industry practices for obtaining, verifying, and retaining customer information including ways that we might tailor any enhanced KYC requirements to conform to these practices in a way that minimizes any new burdens. We seek comment on whether enhanced KYC requirements can be designed to complement any Call Branding FNPRM proposal to require originating providers that transmit caller identity information to employ reasonable measures to verify the accuracy of the information transmitted including mandating the collection and verification of specific customer information.33 In particular, we seek comment on whether there are ways in which enhanced KYC requirements can be coordinated to minimize burdens and promote industry compliance. Finally, we seek comment on whether any rules adopted pursuant to this Notice apply only to customers originating providers acquire after the effective date of any new rules and to any customers that renew service with the provider after the effective date. We also seek comment on whether any such rules should not take effect until six months after OMB approval of any applicable Paperwork Reduction Act requirement to provide affected entities with an opportunity to take any measures necessary to ensure compliance with these requirements. 16. The Commission expects to more fully consider the economic impact and alternatives for small entities following review of comments filed in response to the Notice and this IRFA. The Commission's evaluation of this information will shape the final alternatives it considers, the final 31 5 U.S.C. § 603(c). 32 Id. § 603(c)(1)-(4). 33 Call Branding FNPRM, FCC 25-76 at 14-15, paras. 43-46. 20 Federal Communications Commission FCC-CIRC2604-02 conclusions it reaches, and any final actions it ultimately takes in this proceeding to minimize any significant economic impact that may occur on small entities. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules None. 21