Federal Communications Commission FCC 23-95 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Protecting Consumers from SIM Swap and Port-Out Fraud ) ) ) ) WC Docket No. 21-341 REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING Adopted: November 15, 2023 Released: November 16, 2023 Comment Date: (30 days after Federal Register Publication) Reply Comment Date: (60 days after Federal Register Publication) By the Commission: Chairwoman Rosenworcel and Commissioners Starks and Gomez issuing separate statements. TABLE OF CONTENTS I. INTRODUCTION 1 II. BACKGROUND 4 III. DISCUSSION 18 A. Strengthening the Commission’s CPNI Rules to Protect Consumers 24 1. Customer Authentication Requirements 26 2. Response to Failed Authentication Attempts 31 3. Customer Notification of SIM Change Requests 35 4. Account Locks for SIM Changes 41 5. Tracking Effectiveness of SIM Change Protection Measures 46 6. Safeguards on Employee Access to CPNI 50 7. Telecommunications Carriers’ Duty to Protect CPNI 52 B. Strengthening the Commission’s Number Porting Rules to Protect Consumers 53 1. Customer Authentication Requirements 54 2. Customer Notification of Port-Out Requests 58 3. Account Locks for Port-Outs 61 4. Wireless Port Validation Fields 65 C. Additional Consumer Protection Measures 66 D. Implementation Timeframe 83 E. Legal Authority 84 IV. FURTHER NOTICE OF PROPOSED RULEMAKING 98 V. PROCEDURAL MATTERS 109 VI. ORDERING CLAUSES 120 APPENDIX A – FINAL RULES APPENDIX B – FINAL REGULATORY FLEXIBILITY ANALYSIS APPENDIX C – INITIAL REGULATORY FLEXIBILITY ANALYSIS I. INTRODUCTION 1. Today, we adopt measures designed to address two fraudulent practices bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of a consumer’s phone. In the first type of scam, a bad actor convinces a victim’s wireless provider In this item, when we use the term “wireless provider” we intend to encompass providers of commercial mobile radio service (CMRS) as defined in section 20.3 of the Commission’s rules. 47 CFR § 20.3 (defining commercial mobile radio service as a mobile service that is “(1) provided for profit, i.e., with the intent of receiving compensation or monetary gain; (2) An interconnected service; and (3) Available to the public, or to such classes of eligible users as to be effectively available to a substantial portion of the public,” or the “functional equivalent of such a mobile service”). to transfer the victim’s mobile service and number from the victim’s cell phone to a cell phone in the bad actor’s possession. This scam is also known as “SIM swapping” because it involves an account being fraudulently transferred (or “swapped”) from a device associated with one subscriber identity module (SIM) to a device associated with a different SIM. In the second type of scam, the bad actor, posing as the victim, opens an account with a wireless provider other than the victim’s current provider. The bad actor then arranges for the victim’s phone number to be transferred (or “ported out”) to the account with the new wireless provider controlled by the bad actor. 2. In this Report and Order, we take aim at these scams, with the goal of foreclosing the opportunistic ways in which bad actors take over customers’ cell phone accounts. In doing so, we balance the important objectives of protecting consumers from harmful fraudulent conduct while at the same time not impinging on customers’ ability to upgrade and replace their devices or choose their preferred wireless provider. Specifically, we revise our Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. We also require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts, and take additional steps to protect customers from SIM swap and port-out fraud. Our approach sets baseline requirements that establish a uniform framework across the mobile wireless industry while giving wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available. 3. In the accompanying Further Notice of Proposed Rulemaking (Further Notice), we seek comment on whether to harmonize the existing requirements governing customer access to CPNI See id. § 64.2010. with the SIM change authentication and protection measures we adopt today. We also seek comment on what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. II. BACKGROUND 4. SIM Swap and Port-Out Fraud. Cell phone numbers are frequently used as a means of authenticating the identity of users for various types of accounts, including accounts with wireless providers, e-mail and social media providers, financial institutions, healthcare providers, and retail websites. For example, a consumer logging in to a bank account might be asked not only to provide the correct username and password, but also to input a one-time passcode sent via text message to the consumer’s cell phone. Similarly, a consumer who has forgotten the password for a social media account may be prompted to enter a one-time passcode sent via text message to the consumer’s cell phone before being allowed to reset the password. Because so many consumers have their cell phones with them at all times, authentication using text messages and phone calls can be incredibly convenient, but these authentication methods also have incentivized bad actors to find ways to intercept authentication texts and calls. Two techniques they use to accomplish this involve misuse of mechanisms that enhance competition in the telecommunications marketplace and ensure that customers can access telecommunications services using the devices and providers of their choosing: SIM changes and number porting. 5. SIM changes allow customers to keep their wireless services and phone numbers when they upgrade their cell phone or replace a cell phone that is lost or broken. A SIM facilitates the proper routing of texts and calls to a customer’s cell phone so long as the SIM associated with the customer’s phone number is assigned to that customer’s phone. Each mobile device has its own unique SIM. A SIM can be a physical card or a digital, virtual card embedded into the phone itself (eSIM card). FCC, eSIM Cards FAQ, https://www.fcc.gov/consumers/guides/esim-cards-faq. In either form, the SIM “contains unique information that identifies it to a specific mobile network” and “allows subscribers to use their mobile devices to receive calls, send SMS messages, or connect to mobile internet services.” Russell Ware, What is a SIM Card?, Lifewire, https://www.lifewire.com/what-are-sim-cards-577532 (updated May 21, 2021). While SIM changes historically occurred by removing a physical SIM card from an old phone and placing it in a new phone, now wireless providers virtually reassign embedded, electronic SIMs in modern phones from an old phone to a new one. See FCC, eSIM Cards FAQ, https://www.fcc.gov/consumers/guides/esim-cards-faq (last updated July 10, 2023). Bad actors have successfully taken advantage of this legitimate practice by impersonating a customer of a wireless provider and convincing the provider to reassign the virtual SIM card from the real customer’s device to a device controlled by the bad actor, a practice known as “SIM swap fraud.” CTIA, Protecting Your Wireless Account Against SIM Swap Fraud, https://www.ctia.org/protecting-against-sim-swap-fraud (last visited Oct. 18, 2023). This allows the bad actor to gain access to information associated with the customer’s account, including CPNI, and gives the bad actor control of the customer’s phone number so that the bad actor receives the text messages and phone calls intended for the victim. See Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Notice of Proposed Rulemaking, 36 FCC Rcd 14120, 14122, para. 5 (2021) (SIM Swap and Port-Out Fraud Notice). 6. Number porting allows customers to retain their phone numbers when they switch from one service provider to another, which enables customers to choose a service provider that best suits their needs. See generally 47 U.S.C. § 153(37) (defining “number portability”); Local Number Portability Porting Interval and Validation Requirements; Telephone Number Portability, WC Docket No. 07-244, CC Docket No. 95-116, Report and Order and Further Notice of Proposed Rulemaking, 24 FCC Rcd 6084, 6087, para. 6 (2009) (Porting Interval Order and FNPRM). To initiate a port between two wireless providers, a customer must provide certain identifying information (i.e., telephone number, current account number, five-digit ZIP code, and any customer-assigned passcode) to the new wireless provider. The new wireless provider then sends a request to port the customer’s number with this identifying information through the numbering administrator to the current wireless provider. See Telephone Number Requirements for IP-Enabled Services Providers; Local Number Portability Porting Interval and Validation Requirements; IP-Enabled Services; Telephone Number Portability; Numbering Resource Optimization, WC Docket No. 07-243 et al., Report and Order, Declaratory Ruling, Order on Remand, and Notice of Proposed Rulemaking, 22 FCC Rcd 19531, 19555, para. 44 (2007) (2007 VoIP LNP Order or 2007 LNP Four Fields Declaratory Ruling). Once the current wireless provider verifies this information (thus “validating the port”), the two wireless providers coordinate through the numbering administrator to port the customer’s number to the new wireless provider. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14122, para. 6. As with SIM swap fraud, bad actors have successfully taken advantage of this legitimate practice by impersonating a customer of a wireless provider and convincing the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls. FCC, Port-Out Fraud Targets Your Private Accounts, https://www.fcc.gov/port-out-fraud-targets-your-private-accounts (last updated July 10, 2023). This “port-out fraud” likewise gives the bad actor control over the customer’s phone number, thereby allowing the bad actor to receive text messages and phone calls intended for the victim. 7. Once a fraudulent SIM swap or port-out request has been completed, the bad actor has acquired the means to take control of many more of the victim’s accounts, which can result in substantial harm to the customer. For instance, because the bad actor can now intercept text messages and phone calls used to authenticate a customer’s financial, social media, and other accounts, the bad actor may have the means to gain access to these accounts and then change login credentials, obtain sensitive information, drain bank accounts, and sell or try to ransom social media accounts. See, e.g., Department of Justice, U.S. Attorney’s Office, Western District of Texas, San Antonio Pair Plead Guilty to SIM Swap Scheme (Oct. 12, 2022), https://www.justice.gov/usao-wdtx/pr/san-antonio-pair-plead-guilty-sim-swap-scheme; Department of Justice, U.S. Attorney’s Office, Eastern District of Louisiana, California Resident Pleads Guilty for His Role in Sim Swap Scam Targeting at Least 40 People, Including New Orleans Resident (May 18, 2022), https://www.justice.gov/usao-edla/pr/california-resident-pleads-guilty-his-role-sim-swap-scam-targeting-least-40-people; Alina Machado, Woman Loses Life Savings in SIM Swap Scam (Aug. 26, 2022), https://www.nbcmiami.com/responds/woman-loses-life-savings-in-sim-swap-scam/2845044/; U.S. Department of Justice, Office of the U.S. Attorneys, District of Maryland, Two Men Facing Federal Indictment in Maryland for Scheme to Steal Digital Currency and Social Media Accounts Through Phishing and “Sim-Swapping” (Oct. 28, 2020), https://www.justice.gov/usao-md/pr/two-men-facing-federal-indictment-maryland-scheme-steal-digital-currency-and-social-media; U.S. Department of Justice, Office of the U.S. Attorneys, Eastern District of Michigan, Nine Individuals Connected to a Hacking Group Charged With Online Identity Theft and Other Related Charges (May 9, 2019), https://www.justice.gov/usao-edmi/pr/nine-individuals-connected-hacking-group-charged-online-identity-theft-and-other (reporting the indictment of nine individuals alleged to have participated in thefts of victims’ identities to steal cryptocurrency via “SIM Hijacking”); Lorenzo Franceschi-Bicchierai, Hacker Who Stole $5 Million By SIM Swapping Gets 10 Years in Prison (Feb. 1, 2019), https://www.vice.com/en/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison (reporting that a 20-year old student who stole more than $5 million in cryptocurrency by hijacking the phone numbers of around 40 victims pleaded guilty and accepted a plea deal of 10 years in prison, believed to be the first person convicted of a crime for SIM swapping); Gertrude Chavez-Dreyfuss, U.S. Investor Sues AT&T for $224 million over loss of cryptocurrency (Aug. 15, 2018), https://www.reuters.com/article/us-cryptocurrency-at-t-lawsuit/u-s-investor-sues-att-for-224-million-over-loss-of-cryptocurrency-idUSKBN1L01AA. Victims can also be harmed by the loss of service on their devices—the phone going dark or only allowing 911 calls—which is typically the first sign that SIM swap or port-out fraud has occurred. 8. The Commission and the Federal Trade Commission (FTC) have received hundreds of customer complaints about SIM swap and port-out fraud. According to staff review of informal complaints submitted through the Commission’s Consumer Complaint Center, https://consumercomplaints.fcc.gov/hc/en-us, the Commission received approximately 300 complaints in 2020 concerning SIM swap or port-out-fraud, 400 in 2021, and 500 in 2022. The FTC identified 966 consumer reports of “Phone Carrier Switching” in 2020, 157 in 2021, and 188 in 2022. See Federal Trade Commission, Consumer Sentinel Network Data Book 2022 (Feb. 2023), at Appx. B, p. 88, https://www.ftc.gov/system/files/ftc_gov/pdf/CSN-Data-Book-2022.pdf. The FTC published a consumer alert regarding SIM swap scams in 2019. Alvaro Puig, FTC, SIM Swap Scams: How to Protect Yourself (Oct. 23, 2019), https://consumer.ftc.gov/consumer-alerts/2019/10/sim-swap-scams-how-protect-yourself. Some of the complaints describe wireless provider customer service representatives and store employees who do not know how to address instances of fraudulent SIM swaps or port-outs, resulting in customers spending many hours on the phone and at retail stores trying to get resolution.  Other customers complain that their wireless providers have refused to provide them with documentation related to a fraudulent SIM change, making it difficult for them to pursue claims with their financial institutions or law enforcement. Several customer complaints filed with the Commission allege that a wireless provider’s store employees are involved in the fraud or that providers completed SIM changes despite the customer having previously set a PIN or password on the account. 9. A study published in 2020 by a group of Princeton University researchers found that some wireless providers are using insecure mechanisms to authenticate the identities of individuals making SIM change requests. See Kevin Lee, Ben Kaiser, Jonathan Mayer, Arvind Narayanan, Center for Information Technology Policy, Princeton University, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, August 2020, at Appx., available at https://www.usenix.org/system/files/soups2020-lee.pdf. The researchers opened ten pre-paid accounts each with five major wireless providers— AT&T Mobility, LLC (AT&T), T-Mobile US, Inc. (T-Mobile), Tracfone, US Mobile, and Verizon Wireless (Verizon)—and called to request a SIM change on each account. The researchers found that all five wireless providers “used insecure authentication challenges that could easily be subverted by attackers.” Lee et al. at 1. Specifically, the research team identified six types of information used by the wireless providers to authenticate their customers that were or could be vulnerable to abuse. These types of information were: (1) Personal Information: including street address, e-mail address, date of birth; (2) Account Information: last 4 digits of payment card number, activation date, last payment date and amount; (3) Device Information: IMEI (device serial number), ICCID (SIM serial number); (4) Usage Information: recent phone numbers called; (5) Knowledge: PIN or password, answers to security questions; and (6) Possession: one-time passcode sent via text message or e-mail. Id. at 2. For example, authentication based on recent payment information was exploitable because some wireless providers do not have systems that prevent a bad actor from purchasing a refill card and submitting it on a victim’s account, then requesting a SIM change using the known refill as authentication. Id. at 2-3. Call history information was exploitable because a bad actor could bait a victim into placing calls to specific phone numbers and provide those phone numbers as authentication, and in some cases it appeared that customer service representatives had the discretion to allow authentication with incoming call information. Id. The researchers also found that certain authentication information, such as device information, was vulnerable because it is readily available to bad actors. Id. at 3. Additionally, they noted that recent research has shown that preset answers to “security” questions are an insecure means of authentication, because answers that are memorable are also frequently guessable by an attacker. Id. The research team also found that “in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges in the call.” Id. And in some instances, wireless providers disclosed personal customer information without any authentication at all, including information that could be used to authenticate a customer. Id. 10. The researchers also examined the potential downstream consequences of fraudulent SIM swaps. They “evaluated the authentication policies of over 140 online services that offer phone-based authentication to determine how they stand up to an attacker who has compromised a user’s phone number via a SIM swap.” Id. at 1. The researchers found that 17 websites across different industries have implemented authentication policies with logic flaws that would allow an attacker to fully compromise an account with just a SIM swap. Id. 11. Privacy of Telecommunications Customer Information. Section 222 of the Communications Act of 1934, as amended (the Act) obligates telecommunications carriers to protect the privacy and security of information about their customers to which they have access as a result of their unique position as network operators. 47 U.S.C. § 222. See also Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, et al., CC Docket Nos. 96-115, et al., Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409, 14419-20, paras. 12-14 (1999) (CPNI Reconsideration Order) (denying petitions for reconsideration and forbearance seeking different treatment for wireless providers under the Commission’s CPNI rules, concluding that “there is nothing in the statute or its legislative history to indicate that Congress intended the CPNI requirements in section 222 should not apply to wireless carriers”). Section 222(a) requires carriers to protect the confidentiality of proprietary information of and relating to their customers, among others. 47 U.S.C. § 222(a). Section 222(c)(1) provides that a carrier may only use, disclose, or permit access to individually identifiable CPNI that it has received or obtained by virtue of its provision of a telecommunications service: (1) as required by law; (2) with the customer’s approval; or (3) in its provision of the telecommunications service from which such information is derived or its provision of services necessary to, or used in, the provision of such telecommunications service. 47 U.S.C. § 222(c)(1). Subsequent to the adoption of section 222(c)(1), Congress added section 222(f). Section 222(f) provides that for purposes of section 222(c)(1), without the “express prior authorization” of the customer, a customer shall not be considered to have approved the use or disclosure of or access to (1) call location information concerning the user of a commercial mobile service or (2) automatic crash notification information of any person other than for use in the operation of an automatic crash notification system. Id. § 222(f). Section 222(d) delineates certain exceptions to the general principle of confidentiality, including permitting a carrier to use, disclose, or permit access to CPNI obtained from its customers to protect telecommunications services users “from fraudulent, abusive, or unlawful use of, or subscription to” telecommunications services. CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.” 47 U.S.C. § 222(h)(1). The Commission has not provided an exhaustive list of what constitutes CPNI, but it has explained that CPNI includes (but is not limited to): the phone numbers called by a consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, CC Docket No. 96-115, WC Docket No. 04-36, 22 FCC Rcd 6927, 6931, para. 5 (2007) (2007 CPNI Order). 12. The Commission first promulgated rules implementing the express statutory obligations of section 222 in 1998. See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, et al., CC Docket Nos. 96-115, et al., Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061 (1998) (CPNI Order). In addition to imposing restrictions on the use and disclosure of CPNI, the Commission adopted a set of rules designed to ensure that telecommunications carriers establish effective safeguards to protect against unauthorized use or disclosure of CPNI. See id. at 8195, paras. 193-202; 47 CFR §§ 64.2001-2009 (1998). Among other things, the Commission required telecommunications carriers to train their personnel as to when they are and are not authorized to use CPNI and required carriers to have an express disciplinary process in place for when personnel improperly use CPNI. See 47 CFR § 64.2009(b) (1998); see also CPNI Order, 13 FCC Rcd at 8198, para. 198. In addition, the Commission required each carrier to annually certify its compliance with the CPNI requirements and to make this certification publicly available. 47 CFR § 64.2009(e) (1998); see also CPNI Order, 13 FCC Rcd at 8199, para. 201; CPNI Reconsideration Order, 14 FCC Rcd at 14468-69, n.331 (clarifying that carriers must “make these certifications available for public inspection, copying and/or printing at any time during regular business hours at a centrally located business office of the carrier”). 13. In 2007, the Commission amended its CPNI rules to address “pretexting,” a scheme in which a bad actor pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records. 2007 CPNI Order, 22 FCC Rcd at 6928, para. 1 & n.1. The Commission concluded that “pretexters have been successful at gaining unauthorized access to CPNI” Id. at 6934, para. 12. and that “carriers’ record on protecting CPNI demonstrate[d] that the Commission must take additional steps to protect customers from carriers that have failed to adequately protect CPNI.” Id. at 6933. The new amendments to the rules restricted the release of call detail information The Commission defined “call detail” information to include “any information that pertains to the transmission of specific telephone calls including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call.” 2007 CPNI Order, 22 FCC Rcd at 6936, n.45. based on customer-initiated telephone contact, imposed password requirements for customer account access, and required carriers to appropriately authenticate both new and existing customers seeking access to CPNI online. See id. at 6936-41, 6945-46, paras. 13-22, 33-36; 47 CFR § 64.2010(b)-(e). The Commission also required carriers to take reasonable measures to both discover and protect against attempts to gain unauthorized access to CPNI See 2007 CPNI Order, 22 FCC Rcd at 6945-46, paras. 33-36; 47 CFR § 64.2010(a). and to notify customers immediately of certain account changes, including whenever a password, customer response to a carrier-designed back-up means of authentication, online account, or address of record is created or changed. See 2007 CPNI Order, 22 FCC Rcd at 6942, para. 24; 47 CFR § 64.2010(f). To protect customers from malicious account changes, these carrier notifications cannot reveal the changed account information, nor can they be sent to any updated account information associated with the change. 47 CFR § 64.2010(f). In addition, the Commission modified its CPNI rules to require carriers to notify law enforcement and customers of security breaches involving CPNI. 2007 CPNI Order, 22 FCC Rcd at 6943-45, paras. 26-32; 47 CFR § 64.2011. The Commission has made clear that carriers are free to implement more rigorous security measures to meet their section 222 obligations to protect the privacy of CPNI and that carriers have a fundamental duty to remain vigilant in their protection of CPNI. See 2007 CPNI Order, 22 FCC Rcd at 6945-46, paras. 33-35. In addition, the Commission required affirmative customer consent (“opt-in consent”) before a carrier could disclose a customer’s CPNI to a carrier’s joint venture partners or independent contractors for the purposes of marketing communications-related services to that customer. See id. at 6947-53, paras. 37-50. Finally, the Commission also extended the application of its CPNI rules to providers of interconnected Voice over Internet Protocol (VoIP) service, finding that it is “reasonable for American consumers to expect that their telephone calls are private irrespective of whether the call is made using the services of a wireline carrier, a wireless carrier, or an interconnected VoIP provider, given that these services, from the perspective of a customer making an ordinary telephone call, are virtually indistinguishable.” Id. at 6956, para. 56; see also id. at 6954-57, paras. 54-59. We note that, in 2008, Congress ratified the Commission’s decision to apply section 222’s requirements to interconnected VoIP by adding language to section 222 that expressly covers “IP-enabled voice service,” defined by reference to the Commission’s definition of “interconnected VoIP service.” See New and Emerging Technologies 911 Improvement Act of 2008, Pub. L. No. 110-283 (2008); 47 U.S.C. § 222(d)(4), (f)(1), (g) (applying provisions of section 222 to “IP-enabled voice service”); id. § 615b(8) (defining “IP-enabled voice service” as having “the meaning given the term ‘interconnected VoIP service’ by section 9.3 of the Federal Communications Commission’s regulations (47 CFR 9.3)”). Additionally, in 2007 Congress adopted criminal prohibitions both on obtaining CPNI from a telecommunications carrier and on the sale, transfer, purchase, or receipt of fraudulently obtained CPNI. Telephone Records and Privacy Protection Act of 2006, Pub. L. 109-476, 120 Stat. 3568 (2007) (codified at 18 U.S.C. § 1039). 14. Local Number Portability. Section 251(b)(2) of the Act requires local exchange carriers (LECs) to “provide, to the extent technically feasible, number portability in accordance with requirements prescribed by the Commission.” 47 U.S.C. § 251(b)(2). The Act and the Commission’s rules define number portability as “the ability of users of telecommunications services to retain, at the same location, existing telecommunications numbers without impairment of quality, reliability, or convenience when switching from one telecommunications carrier to another.” 47 U.S.C. § 153(37); 47 CFR § 52.21(m). The Commission has interpreted this language to mean that consumers must be able to change providers while keeping their telephone number as easily as they may change providers without taking their telephone number with them. See Telephone Number Portability; Carrier Requests for Clarification of Wireless-Wireless Porting Issues, CC Docket No. 95-116, Memorandum Opinion and Order, 18 FCC Rcd 20971, 20975, para. 11 (2003) (Wireless Number Portability Order), aff’d, Central Tex. Tel. Coop., Inc. v. FCC, 402 F.3d 205 (D.C. Cir. 2005). Section 251(e)(1) of the Act gives the Commission exclusive jurisdiction over the North American Numbering Plan and related telephone numbering matters in the United States. 47 U.S.C. § 251(e)(1). Although the Act excludes Commercial Mobile Radio Service (CMRS) providers from the statutory definition of “local exchange carrier,” 47 U.S.C. § 153(32). the Commission extended the LNP obligations to CMRS providers pursuant to its independent authority in sections 1, 2, 4(i) and 332 of the Act. See Telephone Number Portability, CC Docket No. 95-116, First Report and Order and Further Notice of Proposed Rulemaking, 11 FCC Rcd 8352, 8431, para. 153 (1996) (First Number Portability Order); Telephone Number Portability, CC Docket No. 95-116, First Memorandum Opinion and Order on Reconsideration, 12 FCC Rcd 7236, 7315-17, paras. 140-42 (1997) (First Number Portability Order on Reconsideration) (affirming the Commission’s decision to impose number portability obligations on CMRS providers). Wireless providers have been required to provide wireless number portability since 2003. See 47 CFR § 52.31(a); see also First Number Portability Order, 11 FCC Rcd at 8439-41, paras. 164-68 (discussing implementation schedule for CMRS providers); see also Cellular Telecommunications Industry Association’s Petition for Forbearance from Commercial Mobile Radio Services Number Portability Obligations; Telephone Number Portability, WT Docket No. 98-229, CC Docket No. 95-116, Memorandum Opinion and Order, 14 FCC Rcd 3092, 3111-12, paras. 37-39 (1999) (extending the implementation deadline for CMRS providers in the top 100 Metropolitan Statistical Areas where another carrier has made a specific request for the provision of LNP until November 24, 2002); Verizon Wireless’s Petition for Partial Forbearance from Commercial Mobile Radio Services Number Portability Obligations; Telephone Number Portability, WT Docket No. 01-184, CC Docket No. 95-116, Memorandum Opinion and Order, 17 FCC Rcd 14972, 14981-86, paras. 23-31 (2002) (extending the implementation deadline for CMRS providers in the top 100 MSAs until November 24, 2003). 15. In 2003, the Commission clarified that for wireless ports, absent an agreement setting additional terms, wireless providers need only share basic contact and technical information with each other sufficient to validate and execute the port. See Wireless Number Portability Order, 18 FCC Rcd at 20978, para. 24. In 2007, the Commission clarified that a porting-out provider may not require more than a “minimal but reasonable” amount of information from the porting-in provider to validate a port request and accomplish the port. See 2007 LNP Four Fields Declaratory Ruling, 22 FCC Rcd at 19553, para. 42. The Commission concluded that for simple A simple port is a port that (1) does not involve unbundled network elements; (2) involves an account only for a single line; (3) does not include complex switch translations (e.g., Centrex, ISDN, AIN services, remote call forwarding, or multiple services on the loop); and (4) does not include a reseller. See, e.g., id. at 19556, n.153. wireline-to-wireline, wireless-to-wireless, and intermodal ports, LNP validation should be based on no more than four fields: (1) 10-digit telephone number; (2) customer account number; (3) five-digit ZIP code; and (4) passcode (if applicable). See id. at 19557, para. 48; see also id. at 19558, para. 49 (“We are persuaded that the approach we adopt here reasonably balances consumer concerns about slamming with competitors’ interest in ensuring that LNP may not be used in an anticompetitive manner to inhibit consumer choice.”). This information is provided by the customer to the new carrier, who then provides it to the old carrier in order to validate the request. See, e.g., FCC, Porting: Keeping Your Phone Number When You Change Providers, https://www.fcc.gov/consumers/guides/porting-keeping-your-phone-number-when-you-change-providers. In 2010, the Commission expanded and standardized the information exchanged between carriers when they execute a simple wireline or intermodal port, which it concluded was necessary to ensure carriers could accomplish ports within a one-business day porting interval the Commission established in 2009. See Local Number Portability Porting Interval and Validation Requirements; Telephone Number Portability, Report and Order, 25 FCC Rcd 6953, 6959-62, paras. 9-17 (2010) (LNP Standard Fields Order); id. at 6954, para. 1 (“This Order completes the task of facilitating prompt transfers by standardizing the data to be exchanged when transferring a customer’s telephone number between two wireline providers; a wireline and wireless provider; or an interconnected Voice over Internet Protocol (VoIP) provider and any other service provider.”); 47 CFR § 52.36(a) (“A telecommunications carrier may require only the data described in paragraphs (b) and (c) of this section to accomplish a simple port order request from an end user customer’s new telecommunications carrier.”); id. § 52.36(d) (“For purposes of this section, the term ‘telecommunications carrier’ includes an interconnected VolP provider as that term is defined in § 52.21(h).”). The Commission mandated that telecommunications carriers use 14 “Required Standard Data Fields”—and may require only those fields to accomplish such ports. The Commission required that service providers use the following 14 fields to accomplish a wireline or intermodal simple port: (1) “Ported Telephone Number” – the customer’s telephone number; (2) “Account Number” – the customer’s account number with the current service provider; (3) “Zip Code” – the zip code for the customer’s address associated with the account; (4) “Company Code” – the operating company number, or OCN, of the new service provider; (5) “New Network Service Provider” – the name of the new service provider; (6) “Desired Due Date” – the date by which the customer wants the port completed; (7) “Purchase Order Number” – the customer’s unique purchase order or requisition number that authorizes issuance of the port request; (8) “Version” – the version number of the order submitted by the new service provider; (9) “Number Portability Direction Indicator” – information to let the new service provider direct the correct administration of E-911 records; (10) “Customer Carrier Name Abbreviation” – the three-letter code for the name of the new service provider; (11) “Requisition Type and Status” – the type of order to be processed, such as number portability, loop with number portability, retail/bundled, resale, directory listings, etc.; (12) “Activity” – the activity involved in the service request, such as porting, new account installation, disconnection, suspension, restoration, etc.; (13) “Telephone Number of Initiator” – the telephone number for the new service provider initiating the port request; and (14) “Agency Authority Status” – which indicates that the new service provider initiating the port request has an authorization to initiate a port on file. 47 CFR § 52.36(b); see also LNP Standard Fields Order, 25 FCC Rcd at 6959-62, paras. 9-17. We note that when requesting a port, some of the information described above is supplied by the customer to the new or gaining carrier and some of the information is provided by the new carrier to the current carrier. The Commission maintained the three customer-provided information fields from the 2007 LNP Four Fields Declaratory Ruling—ported telephone number, customer account number, and customer ZIP code. See 47 CFR § 52.36(b)(1)-(3). The rules also permit customers to request that a user-created passcode be put on their account, which the customer must then provide before a port can be accomplished. See id. § 52.36(c). The Commission at the time found that the exchange of these fields struck the appropriate balance between streamlining the porting process and ensuring accurate ports, and also reasonably balanced customer concerns about unauthorized ports with competitors’ interest in ensuring that porting obligations may not be used in an anticompetitive manner to inhibit customer choice. See generally LNP Standard Fields Order, 25 FCC Rcd at 6956-62, paras. 6-10. 16. The members of the non-governmental, multi-stakeholder Number Portability Industry Forum (NPIF) have created “Best Practices” for porting between and within telephony carriers. NPAC, Number Portability Best Practices, https://workinggroup.numberportability.com/number-portability-best-practices (last visited Oct. 18, 2023). These Best Practices are voluntary and not mandated by the Commission, but reflect the consensus of the NPIF or its predecessor organization regarding the preferred processes for porting. See id. Best Practice 73 (Unauthorized Port Flow) specifically addresses unauthorized ports, including fraudulent ports. Best Practice 73 addresses three types of unauthorized ports: disputed ports (usually a result of two or more parties each claiming to be the authorized end user, including business partner disputes, personal relationship disputes, dissolution of franchises); inadvertent ports (which occur as a result of an error, including incorrect number provided by End User and typographical errors in local service requests); and fraudulent ports (which occur as a result of an intentional act of fraud, theft, and/or misrepresentation). See Best Practice 73, NPAC, Number Portability Best Practices, at 1-2, https://workinggroup.numberportability.com/number-portability-best-practices (last visited Oct. 18, 2023). Among other things, it encourages carriers to review “incident and/or police report details if provided” and places priority on resolving unauthorized ports that have a heightened severity of impact. These include ports involving an “FCC/PUC/Attorney General complaint; court order; military institution; medical facility; business lines (i.e. national organization, main published line); emergency services; medical support services; or otherwise documented as properly reported to law enforcement.” See Best Practice 73, NPAC, Number Portability Best Practices, at 4, https://workinggroup.numberportability.com/number-portability-best-practices (last visited Oct. 18, 2023). 17. Notice of Proposed Rulemaking. In September 2021, the Commission adopted the SIM Swap and Port-Out Fraud Notice, in which it proposed to amend the Commission’s CPNI and LNP rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14121, para. 3. The SIM Swap and Port-Out Fraud Notice also proposed to require wireless providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts and sought comment on other ways to protect customers from SIM swap and port-out fraud. Id. III. DISCUSSION 18. Today we revise our CPNI and LNP rules to provide greater protection to customers from SIM swap and port-out fraud. The cornerstone of our action is a requirement that wireless providers use secure methods of authenticating customers prior to performing SIM changes and number ports. Other rules we adopt reinforce that requirement, including that wireless providers adopt processes for responding to failed authentication attempts, institute employee training for handling SIM swap and port-out fraud, and establish safeguards to prevent employees who interact with customers from accessing CPNI until after customers have been authenticated. We also adopt rules that will enable customers to act to prevent and address fraudulent SIM changes and number ports, including requiring that wireless providers notify customers regarding SIM change and port-out requests, offer customers the option to lock their accounts to block processing of SIM changes and number ports, and give advanced notice of available account protection mechanisms. We further establish requirements to minimize the harms of SIM swap and port-out fraud when it occurs, including requiring wireless providers to maintain a clear process for customers to report fraud, promptly investigate and remediate fraud, and promptly provide customers with documentation of fraud involving their accounts. Finally, to ensure wireless providers track the effectiveness of authentication measures used for SIM change requests, we require that they keep records of SIM change requests and the authentication measures they use. 19. In adopting these rules, we balance the need to protect customers from the harms of SIM swap and port-out fraud with the goal of preserving the relative ease with which customers can obtain legitimate SIM changes and number ports. The record reflects that the vast majority of SIM change and port-out requests are legitimate. See, e.g., T-Mobile Comments at 2 (asserting that “the vast majority of subscriber SIM swap and port-out requests are legitimate”); CTIA Reply at 1 (“[T]he overwhelming majority—well over 99%—of SIM swap and port-out requests are legitimate.”); AT&T Comments at 7-8 (“By AT&T’s calculation, more than 99 percent of the total SIM changes and port-outs it processes are legitimate.”). It also shows that the efficient and effective processing of SIM changes and port-out requests promotes customer choice and competition See, e.g., CTIA Reply at 3 (“Given the importance of [SIM changes and number porting] for enabling provision of service, competition, and consumer choice, it is critical for customers seeking to replace or upgrade their device or to change their provider to be able to do so both securely and without undue friction in the customer experience.”) (emphasis in original); CTIA Comments at 10 (“It is critical that the LNP rules continue to protect against anti-competitive behaviors, and that any updates to address port-out fraud should be clearly tied to consumer fraud protection.”); T-Mobile Comments at 2-3 (“[T]he Commission should ensure that any rule changes do not limit consumer choice between wireless providers or stifle competition by introducing undue delay or complexity to fulfilling port-out and SIM swap requests.”); AT&T Comments at 1-2 (“SIM swaps and port-outs are, in short, integral features of the competitive wireless marketplace.”); Verizon Comments at 1 (explaining that SIM changes and number porting “benefits competition and customer choice by enabling consumers to efficiently switch providers and take advantage of new devices and service plans”). and prevents interruptions in access to wireless services that are vital to customers’ everyday lives. See, e.g., T-Mobile Comments at 7 (“Wireless services are vital to most Americans and, therefore they must have the ability to make account changes.”); id. at 6-7 (“T-Mobile’s wireless services are a lifeline for its over 100 million postpaid and prepaid subscribers across America, who rely on wireless services for connections to family, work, public safety, and school as well as key apps and services.”); AT&T Comments at 17-18 (noting that cell phones “have become an essential part of everyday life”). Service interruptions can be particularly problematic when they hamper the ability of customers to access emergency services. See, e.g., CTIA Comments at 9 (asserting that “[s]ervice disruptions due to strict authentication requirements could be particularly impactful for customers who are in emergency situations”). We agree with the Competitive Carriers Association (CCA) that “enhanced requirements for SIM swap and port-out requests can implicate the customer experience and can intentionally or unintentionally serve as impediments to legitimate requests to change devices or change providers.” CCA Comments at 7; see also NCTA Comments at 7 (arguing that certain prescriptive requirements “would create unnecessary obstacles for consumers that desire to switch providers”). We are wary of setting rigid requirements that would impose significant burdens on customers without substantially protecting against SIM swap and port-out fraud. See, e.g., AT&T Comments at 2-3 (“Across-the-board prescriptive rules would increase consumer frustration in nearly all SIM- or port-related transactions without a concomitant reduction in the risk.”); id. at 12-13 (explaining that specific mandates could “restrict[] consumer choice and impos[e] delays and other burdens upon the overwhelming majority (more than 99 percent) of transactions that are perfectly legitimate”); CTIA Reply at 5 (“An approach that is unnecessarily rigid will adversely affect legitimate customers’ ability to swap SIM cards and port numbers, which are both critical to ensuring provision of service, customer choice, and competition.”). We also recognize that prescribing particular security methods can place greater burdens on some customers because of their technical and financial means, digital literacy, accessibility needs, and other particularized circumstances. See, e.g., CCA Comments at 7 (noting that when security measures cause frustration, “customers, especially those who are older or less familiar with technology, may be deterred from selecting a provider who may offer a better service” and therefore that the Commission “should be attentive to ensuring that heightened authentication procedures are customer friendly”); T-Mobile Comments at 6-7 (asserting that the Commission should strive for SIM swap and port-out fraud rules that “promote diversity, inclusion, and accessibility of wireless services”); Verizon Comments at 6 (“As the NPRM notes, in-store customers in need of a SIM change may not be tech savvy, so flexibility to allow some form of physical documentation will be needed.”). We anticipate that the approach we take today will provide meaningful protection to customers while preserving the competition and customer choice that SIM changes and number porting are meant to facilitate and avoiding undue burdens that hinder access to wireless services. 20. To that end, we set baseline rules, rather than prescriptive requirements, that establish a uniform framework across the mobile wireless industry for the types of policies and procedures providers must employ to combat SIM swap and port-out fraud. The record indicates that several wireless providers already rely, at least partly, on some of these policies and procedures. See, e.g., CTIA Comments at 3-4 (highlighting “the variety of tactics used to combat SIM swapping and port-out fraud”); CTIA Reply at 5-9 (further detailing the tactics providers use); NCTA Comments at 4-5 (explaining that wireless providers already use many of the practices proposed in the SIM Swap and Port-Out Fraud Notice to prevent SIM swap and port-out fraud today); CCA Comments at 6 (noting that many CCA members already have implemented the measures proposed in the SIM Swap and Port-Out Fraud Notice to combat SIM swap and port-out fraud); AT&T Comments at 13 (“Carriers are already authenticating customers using one or more of the methods identified in the Commission’s existing and/or proposed rules.”); T-Mobile Comments at 1 (“T-Mobile has robust protections in place to help prevent fraudulent SIM swapping and port-outs from occurring.”). We are concerned, however, that a lack of consistency in how wireless providers apply these measures and a lack of uniformity in the use of these measures industry-wide leaves some customers vulnerable to SIM swap and port-out fraud. The rules we adopt ensure that all wireless providers are taking consistent and comprehensive steps to address this fraud. For wireless providers that already employ the measures we require, in many cases our rules simply raise the bar by requiring them to adapt, refine, or consistently apply those existing practices. For wireless providers that do not, our new rules require them to implement new practices to meet the baseline standards. We anticipate that our approach will ensure that customers receive effective protection from SIM swap and port-out fraud regardless of the wireless telecommunications services they purchase or the wireless provider from whom they purchase them. 21. In setting baseline requirements, rather than prescriptive rules, our approach also gives wireless providers the flexibility to establish the specific fraud protection measures they use so that they can deliver the most advanced protections available. The record provides substantial evidence that to best combat SIM swap and port-out fraud, wireless providers need flexibility. See, e.g., AT&T Comments at 11 (“Effective mitigation requires an agile approach to managing these risks that can only be achieved within a flexible framework.”); NCTA Comments at 2 (“[I]f the Commission moves forward with new rules to address fraud, the best approach would be to establish a flexible standard requiring heightened authentication measures for SIM swap requests. The Commission should adopt a similarly flexible requirement to take reasonable measures to prevent port-out fraud.”); CTIA Comments at 16 (“[T]echnical, rigid, and narrow requirements will not move the needle for consumer protection in the same way that a smart, flexible, future-proof, and risk-based framework will.”); CCA Comments at 6 (“The Commission should resist, however, from requiring a defined set of measures that all carriers should uniformly adopt.”); Verizon Comments at 5 (“[P]roviders must have flexibility both to develop and implement new methods beyond those enumerated in the draft rule.”). In particular, we are persuaded that wireless providers need such flexibility so that they can adapt their security methods to keep pace with the evolving threat landscape. Verizon notes that “fraudsters are sophisticated and constantly look to circumvent any protections, no matter how robust.” Verizon Comments at 1; see also AT&T Comments at 11 (“Bad actors perpetually look for creative ways to gain access to consumers’ financial or social media accounts.”); CCA Comments at 4-5 (“[S]ophisticated hackers and other bad actors are resourceful and often find ways to skirt safeguards to sensitive information.”). We also recognize that “[r]apid technological changes introduce new vulnerabilities that existing rules may be unequipped to address.” CCA Comments at 4-5. We are therefore concerned by record evidence that a static set of prescriptive requirements may incentivize some wireless providers to rely exclusively on those security methods and discourage them from innovating and adopting new and improved practices to address evolving fraud techniques used by bad actors. See, e.g., AT&T Comments at 14 (“[L]ocking in a particular list of authentication methods would play into bad actors’ hands by discouraging carriers from adopting new methods not expressly blessed by the Commission’s rule, while inhibiting the ability of carriers and other stakeholders to innovate, as necessary and appropriate, to address evolving threats.”); Better Identity Coalition at 6 (asserting that if the Commission enshrined guidelines or standards into regulation, “it might inadvertently preclude carriers from deploying new innovations that emerge after [those guidelines and standards were developed] that might address new threats or more efficiently identify or authenticate consumers.”); FIDO Alliance Comments at 3 (arguing that reliance on the four specified authentication methods may disincentive providers from adopting stronger authentication measures); CCA Comments at 4-5 (cautioning against adopting rules that “might inhibit a provider’s ability to respond to new threats as they emerge” and noting that if “a future technology, proves to be more effective or secure than today’s technologies, the Commission should ensure that its rules do not end up serving as an obstacle to adoption of better practices”); CTIA Reply at 14 (“The Commission should thus ensure that its regulatory approach does not impede providers’ ability to protect their customers.”). We also share concerns that setting specific requirements could either provide a roadmap for bad actors seeking to commit fraud See, e.g., AT&T Comments at 12-13 (“[S]pecific mandates in this context could provide a roadmap for bad actors who would quickly tailor their tactics to circumvent them.”); Verizon Comments at 5 (arguing that enumerating particular methods to prevent unauthorized SIM changes “will give bad actors a roadmap and that may prove less effective over time”); CTIA Comments at 10-11 (“[R]igid and prescriptive requirements hurt security more than they may help. . . . [I]f every provider authenticates requests in the same way, fraudsters and scammers will find a way around such uniform ‘safeguards.’”); Better Identity Coalition at 2-3 (suggesting that if the Commission prescribes specific authentication requirements, “attackers would simply adapt their attack methods to target these new authenticators, with the net effect being no significant slowdown in the pace of SIM Swap attacks”). or lock in measures that quickly prove to be ineffective or obsolete. See, e.g., CCA Comments at 5 (asserting that specific methods “could become obsolete quickly”); CTIA Comments at 11 (“[A]voiding rigid rules that are tied to specific technologies or tools will also help to future-proof FCC guidance when it comes to authentication.”); T-Mobile Comments at 2 (“[W]hat constitutes a ‘secure method of authentication’ is likely to change over time.”); Better Identity Coalition at 4 (“One constant in cybersecurity is that threats are constantly evolving, as are the tools used to stop threats. But regulations are permanent, or in a best-case scenario, infrequently updated. Any regulatory approach that seeks to tie MNOs to using specific authentication technologies is certain to fail to keep up as threat and security both evolve.”). The aim of our action today is to better protect telecommunications customers from fraudulent schemes; in doing so, it is important that our rules, while functioning as baseline safeguards, do not serve as obstacles to adoption of better security practices. Indeed, the record asserts that establishing rules that provide flexibility will incentivize wireless providers to develop and adopt new and improved methods to protect against SIM swap and port-out fraud See, e.g., CTIA Reply at 15 (arguing that “a more flexible approach that allows for innovation and iteration is best”); CCA Comments at 4 (asserting that any rules the Commission adopts should be “sufficiently flexible to account for evolving technologies”); Princeton Comments at 4 (“Authentication methods and security practices continue to evolve, and carriers should be welcome—and encouraged—to adopt innovative safeguards.”); T-Mobile Comments at 12-13 (“Flexibility will promote innovation and improved security for customers.”); NCTA Comments at 7 (“An adaptable standard as discussed above will best incentivize carriers to adopt solutions that provide effective security for their customers and services while not handcuffing carriers to specific technology or processes as new solutions emerge.”). and enable them to quickly adapt their security measures to respond to evolving techniques and technologies used by bad actors. See, e.g., CTIA Comments at 10-11 (asserting that “[f]lexibility is a cornerstone of effective risk management, as it allows providers to develop and deploy innovative tools that can meet evolving threats and stay ahead of the fraudsters, as opposed to ‘checking the box’ on stagnant compliance requirements”); CTIA Reply at 15-16 (explaining that flexibility will help prevent security practices from lagging behind bad actor tactics); Verizon Comments at 5 (“[P]roviders must have flexibility both to develop and implement new methods beyond those enumerated in the draft rule to keep ahead of bad actors and to abandon measures that no longer work.”); CCA Comments at 5 (asserting that “the Commission should allow for flexibility for carriers to respond quickly and nimbly to new threats and to encourage adopting innovative solutions to threats”); Somos Comments at 2 (“As with most fraud the telecom industry suffers, the bad actors are constantly evolving. Solutions should evolve, as well.”). Accordingly, we agree with AT&T that “[t]he best way to combat ever-evolving fraud tactics is to allow industry players the ability to adapt and respond to these changing threats in real-time,” AT&T Comments at 2. and we afford wireless providers this flexibility with the rules we adopt in this Report and Order. 22. Flexibility will also permit wireless providers to use the specific security practices that are effective and appropriate under the circumstances. We are persuaded that any given measure will rarely prove foolproof, necessary, or suitable in all instances, See, e.g., AT&T Comments at 5 & 12-13 (explaining that “no method of authentication is foolproof or effective in every instance” and that “[e]ven proposals that have merit in certain circumstances should not be foisted onto all carriers in all circumstances”); T-Mobile Comments at 12 (noting that failed authentication attempts occur with regularity for legitimate users and therefore may not necessarily signal nefarious activity that requires heightened security measures); FIDO Alliance Comments at 3-4 (explaining, for example, that one-time use passcodes sent by SMS as a method of authentication are “useless” if a customer’s phone is lost or stolen). and therefore that wireless providers should have the ability to tailor the security mechanisms they use. AT&T, for instance, asserts that it has had success in deploying measures strategically to reduce the incidents of SIM swap and port-out fraud, AT&T Comments at 2-3 (“Wireless carriers have developed substantial expertise in detecting and combating new forms of fraud. Significantly, AT&T has limited the incidences of fraudulent SIM swaps and port-outs by remaining flexible and varied in the tools it employs, allowing us to be at least as agile as the fraudsters.”). and with our rules, we seek to foster such outcomes. Our flexible approach enables wireless providers to implement security measures that are designed to address a customer’s particular circumstances and preferences, and also allows wireless providers to implement measures that are best suited for their business models, technologies, and the services they offer. See, e.g., CTIA Comments at 3 & 18 (explaining that flexibility for notifications is needed so that providers can “account for the complexities of notifications in various contexts”); CTIA Reply at 15-16 (noting that the record illustrates “that flexibility is important to continue to allow providers to meet the diverse needs of their customers”); Princeton Comments at 11-12 (declining to take a position on how investigations of fraud should be conducted, “since the details will vary by account compromise”); AT&T Comments at 5 (explaining that the tools it uses to combat SIM swap and port-out fraud “are tailored to different customers, services, and technologies because they must be”); id. at 11 (explaining that because customer needs vary, the “diverse characteristics of these customers and the products and services they utilize lend themselves to different risk-management approaches”); CCA Comments at 5 (explaining that “[c]arriers often adopt policies that serve the specific needs of their consumers”); T-Mobile Comments at 9 (asserting that notification methods “should be flexible and reflect customers’ preferences”). We also recognize that some wireless providers may seek to use a risk-based model, whereby they apply different mechanisms to protect customers based on the likelihood of fraud for a particular SIM change or port-out request, and we do not want to hinder these targeted efforts. See, e.g., AT&T Comments at 13-14 (“AT&T employs data-driven analytics to make an initial risk assessment for specific postpaid transactions, which drives confidence in the authenticity of the transactions and allows them to be completed without delay or burden to the customer.”); CTIA Reply at 11-12 (“One key step in protecting consumers and businesses against account takeovers is for organizations to deploy risk-appropriate authentication practices.”); T-Mobile Comments at 2 (“Organizations should use authentication measures that correspond to the value and sensitivity of the accounts involved.”). For these reasons, we conclude that wireless providers should have the flexibility to determine which specific measure will be most effective at protecting customers against SIM swap and port-out fraud in a given circumstance in accordance with our baseline rules. 23. We further anticipate that our flexible approach will enhance protections for customers without placing undue costs and burdens on wireless providers. We are cognizant that in some instances, strict prescriptive requirements to prevent SIM swap and port-out fraud could be technically and economically infeasible for wireless providers to implement, particularly for smaller providers. See, e.g., CCA Comments at 6 (“The Commission should also keep in mind the constraints with which many small carriers operate against in adopting security measures. Smaller carriers may have more limited app or e-commerce platforms, and may not currently have the capability, for example, to generate a one-time port out PIN via an app on a 24/7/365 basis.”); T-Mobile Comments at 12 (asserting that it would be technically difficulty to track multiple failed authentication attempts because users attempt to access their accounts across various platforms, such as over the phone, online, or in retail stores run by the carrier or a third party); CTIA Comments at 16 (same). Even in the instances when wireless providers do have the means to implement prescriptive requirements, those requirements could prove burdensome on providers if they become obsolete or ineffective and providers are compelled to maintain them alongside new and better practices they adopt to address the evolving threat landscape. See, e.g., AT&T Comments at 13 (asserting that the methods of authentication proposed by the Commission “would introduce new and often unwanted complexities in the SIM swap process for carriers and their customers. Fundamentally, requiring the use of particular authentication methods for every SIM swap would impose tremendous burdens on carriers and customers without clear additional benefit”). By setting baseline requirements and giving wireless providers flexibility on how to meet them, we allow providers to adopt the most cost-effective and least burdensome solutions to achieve the level of security needed to protect customers against SIM swap and port-out fraud in a given circumstance. Additionally, because many of our rules build on existing mechanisms that many wireless providers already use, we expect that our new rules will further minimize the costs and burdens for those providers. A. Strengthening the Commission’s CPNI Rules to Protect Consumers 24. In this section, we adopt baseline measures designed to reduce the incidence of SIM swap fraud without impinging on customers’ ability to upgrade and replace their devices. As proposed in the SIM Swap and Port-Out Fraud Notice, SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130, para. 23. we require wireless providers to use secure methods to authenticate customers that are reasonably designed to confirm a customer’s identity prior to effectuating SIM changes, but we depart from our proposal specifying particular methods of authentication, to allow providers the flexibility they need to implement the most modern and effective authentication methods on an ongoing basis. We also adopt rules to require wireless providers to implement procedures to address failed authentication attempts and to notify customers of SIM change requests prior to effectuating a SIM change. Additionally, we adopt rules that allow customers to lock their accounts to prevent SIM changes, require wireless providers to track the effectiveness of the authentication measures they have implemented, and safeguard against employee access to CPNI prior to authentication. In each instance, we afford wireless providers needed flexibility while enhancing protections for customers. 25. The record makes clear that because SIMs are only used to facilitate service for mobile wireless devices, SIM swap fraud is a practice that is exclusive to mobile wireless services. See, e.g., AT&T Comments at 1 (noting that “SIM swaps allow customers to replace a defective SIM or, more commonly, to upgrade or replace an outdated, lost, stolen, or damaged phone, tablet, or other mobile device, without disruption to their wireless service”); CCA Comments at 1 (explaining that SIM swap fraud is a method malicious actors use to steal mobile accounts); CTIA Comments at 1-2 (discussing SIM swap fraud exclusively in the context of wireless services); National Consumer Law Center (NCLC) and Electronic Privacy Information Center (EPIC) Comments at 2 (NCLC/EPIC Comments) (noting that “American cell phone users . . . are extremely vulnerable to having their telephone numbers hijacked by fraudsters through the process of SIM swapping and port-out fraud”); NCTA Comments at 1 (explaining that with SIM swap fraud, “the bad actor convinces the wireless provider to transfer the customer’s service from the subscriber identity module (SIM) in the customer’s phone to a new SIM in the bad actor’s phone”); T-Mobile Comments at 1 (expressing support for “the Commission’s efforts to make it harder for bad actors to take control of consumers’ cell phone accounts through fraudulent subscriber identity module (‘SIM’) swapping”); Verizon Comments at 2 (explaining that “SIM changes help customers by enabling them to easily move a mobile phone number to a new SIM card”); see also Lee et al. at 61 (explaining that a SIM swap attack involves “unauthorized change to the victim’s mobile carrier account” whereby “the attacker diverts service, including calls and messages, to a new SIM card and device that they control”). Thus, we apply these new requirements to providers of commercial mobile radio service (CMRS), as defined in section 20.3 of Title 47 of the Code of Federal Regulations, 47 CFR § 20.3. Under this definition, our new rules apply to both facilities-based wireless providers as well as resellers of wireless services. Additionally, given that section 332(c)(1)(A) of the Act requires that providers of commercial mobile service be treated as common carriers, 47 U.S.C. § 332(c)(1)(A), our rules cover “any officer, agent, or other person acting for or employed by any common carrier or user, acting within the scope of his employment.” 47 U.S.C. § 217. including resellers of CMRS. We apply these new requirements to all SIM changes that wireless providers perform. Verizon suggests that requirements we adopt may not be necessary for all SIM changes, asserting that “[t]he vast majority of SIM changes do not raise security concerns,” Verizon Comments at 6, but Verizon did not explain how carriers may know that certain SIM changes are lower risk than others and its assertion did not receive support in the record, so we decline to limit the applicability of our requirements to only certain SIM changes. Further, we require wireless providers to implement these rules with respect to customers of both pre-paid and post-paid services, consistent with the protections afforded by section 222. We see no reason why the protections should not apply to all customers of CMRS, including customers of resellers, particularly considering indications in the record that pre-paid customers are disproportionately impacted by fraud and that many customers impacted by such fraud are low-income customers who can ill afford such losses. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14137, para. 45 (seeking comment on whether the rule should apply only to certain services or accounts); see also, e.g., Princeton Comments at 13 (recommending that “any new rules apply to both prepaid and postpaid wireless carriers”); NCLC/EPIC Comments at 2 (noting that “American cell phone users, particularly those who rely on prepaid phones, are extremely vulnerable to having their telephone numbers hijacked by fraudsters” and that prepaid phone customers are “generally low-income consumers”). We make clear, however, that the rules we adopt today do not require providers to collect more information about pre-paid customers than they otherwise do in the normal course of business, nor should they be interpreted to impose disparate burdens on pre-paid customers related to information collection or authentication. See Letter from Avonne Bell, Director, Connected Life, CTIA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 21-341, at 10 (filed Nov. 8, 2023) (CTIA Nov. 8, 2023 Ex Parte Letter). 1. Customer Authentication Requirements 26. We update our CPNI rules to protect customers from the risk of fraudulent SIM swaps by requiring wireless providers, prior to conducting a SIM change, to use secure methods to authenticate a customer that are reasonably designed to confirm a customer’s identity, SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130, para. 23. We encourage wireless providers to use secure authentication methods that accommodate the needs of the broad spectrum of customers they may serve. See infra para. 56. except to the extent otherwise required by the Safe Connections Act or the Commission’s rules implementing that statute. The Safe Connections Act of 2022, Pub. L. No. 117-223, 136 Stat. 2280 (Safe Connections Act), which is codified at 47 U.S.C. § 345, requires wireless providers to separate lines from a multi-line account upon request of a survivor of domestic violence and other related crimes and abuses. 47 U.S.C. § 345(b)(1). The Commission proposed rules implementing this requirement and sought comment both on authentication of survivors seeking line separations and how to prevent fraud related to line separation requests. See Supporting Survivors of Domestic and Sexual Violence; Lifeline and Link Up Reform and Modernization; Affordable Connectivity Program, WC Docket Nos. 22-238, 11-42, 21-450, Notice of Proposed Rulemaking, FCC 23-9, paras. 44-45, 103 (rel. Feb. 17, 2023) (Safe Connections Notice). In an Order adopted today implementing the Safe Connections Act, the Commission adopted rules to require covered providers to attempt to authenticate, using multiple authentication methods if necessary, that a survivor requesting a line separation is a user of a specific line or lines. See Supporting Survivors of Domestic and Sexual Violence, WC Docket No. 22-238, Report and Order, FCC 23-96, para. 52 (rel. Nov. 16, 2023) (Safe Connections Order). Covered providers must use methods that are reasonably designed to confirm the survivor is actually a user of the specified line(s) on the account when the survivor is not the primary account holder or a designated user, and this authentication shall be sufficient for requesting a SIM change when made in connection with a line separation request. See id. To the extent this requirement differs from other authentication requirements, including those in 47 CFR § 64.2010, the line separation authentication requirements the Commission adopts to implement 47 U.S.C. § 345 serve as an exception to those other requirements. See id. We also make clear that the Safe Connections Act-related exceptions to our new SIM change and LNP rules for any SIM change or port-out requests made in connection with a legitimate line separation request apply regardless of whether a line separation request is technically or operationally infeasible. We define “SIM,” for purposes of these rules, as “a physical or virtual card associated with a device that stores unique information that can be identified to a specific mobile network.” See Appx. A (new 47 CFR § 64.2010(h)). We slightly revise this definition from that proposed in the SIM Swap and Port-Out Fraud Notice to provide greater clarity that a SIM is not necessarily a physical card. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130, para. 23 (proposing a similar definition but with “contained within ” in place of “associated with”); NCLC/EPIC Comments at 3 (writing that they are “encouraged” by the Commission’s proposal and definition of “SIM”). The record reflects significant support for strengthening authentication requirements for SIM change requests, See, e.g., Bank Policy Institute/BITS (BPI/BITS) Comments at 1 (“BPI/BITS supports reasonable measures to require additional authentication factors to reduce these risks.”); CCA Comments at 3 (agreeing that “some degree of heightened authentication procedure is appropriate in the context of SIM swaps or port outs to prevent the increasing risk of fraud”); Princeton Comments at 2 (“We support the Commission’s proposal to require that carriers complete strong customer authentication before effectuating a SIM swap.”); Somos Comments at 2 (“It should be required that trusted identity verification and validation, as qualification of a SIM swap transaction must be implemented.”); ATL Comments at 1 (supporting “additional fraud prevention methods and requiring all carriers to adopt secure methods of authenticating a customer before SIM changes”); Prove Comments at 2-3 (“Prove believes that carriers should securely authenticate customers prior to effectuating any SIM swap or port-out request.”). and we find that the requirement we adopt today most appropriately balances the need to increase protection for customers from these types of fraudulent schemes while providing wireless providers the flexibility the record shows they need to respond to new and emerging threats. See AT&T Comments at 11; Verizon Comments at 5; CCA Comments at 5; CTIA Comments at 16-17; T-Mobile Comments at 12-13; NCTA Comments at 2-6; Somos Comments at 2; CTIA Reply at 15. We are persuaded by commenters that a general security authentication standard will afford customers the highest level of protection by allowing wireless providers to implement the authentication methods raised in the record, See, e.g., FIDO Alliance Comments at 4 (citing the benefits of the FIDO standards public key cryptography approach); Better Identity Coalition Comments at 3-4 (explaining that “industry and government are moving away from knowledge-based approaches to authentication (i.e. passwords) to those that are possession-based, such as authentication based on the FIDO2 standards”); OPUS Research Reply at 1 (promoting the use of “voice biometrics as part of a multi-factor approach to strong customer authentication”); Prove Comments at 2-6 (suggesting development and use of a “neutral, cross-industry, consumer-managed tool” based on the authentication factors of possession, reputation, and ownership); Princeton Comments at 5-6, 12 (supporting the use of multi-factor authentication and implementation of a system for carriers to check whether a SIM was recently swapped); NCTA Comments at 5 (asserting that “multi-factor authentication that considers biometrics, devices, app-based tokens, and other unique identifiers . . . also provide security and offer benefits to consumers, including ease of use”); Robert Ross Comments at 5-8 (recommending the Commission require authentication solutions based on the principles of layered security, non-profit solutions, a combination of customer-facing and non-customer facing methods, and a combination of technology and human solutions, with examples provided); BPI/BITS Comments at 2-3 (expressing support for “app-based push notification to a trusted mobile device, biometrics identifiers, or cryptographic keys,” for certain types of data); ID.me Comments at 4 (“The FCC should require carriers to comply with NIST SP 800-63-3 IAL2, AAL2, and FAL2 before authorizing SIM Swap and Port-Out transactions.”); iProov Comments at 5-7 (recommending the Commission require “at least two independent authentication factors” be used and that the list of secure methods include a strong multi-factor authentication factor, such as cloud biometrics, “that does not rely on possession of the device or number”); T-Mobile Comments at 3 (explaining that customers are permitted to set up multi-factor authentication “using methods including security questions, SMS, or device-based biometrics such as Face ID or fingerprint recognition on devices that support such features”). or develop new authentication methods, in ways that both account for advances in the technology and tactics used by bad actors and that work best for their customers and the particular services they offer. See, e.g., CTIA Reply at 11-12 (“One key step in protecting consumers and businesses against account takeovers is for organizations to deploy risk-appropriate authentication practices.”); T-Mobile Comments at 2 (“Organizations should use authentication measures that correspond to the value and sensitivity of the accounts involved.”). Additionally, we believe this flexibility alleviates record concerns about the limited information wireless providers may have to authenticate customers of pre-paid accounts. See CTIA Comments at 14-15 (noting that “fighting fraud in the pre-paid context is different than in the post-paid context” and that “providers ordinarily do not collect or have detailed identity information for pre-paid customers”); T-Mobile Comments at 8 (stating that “[p]repaid service generally does not require identity validation for account set-up”); CCA Comments at 6 (noting that pre-paid customers “often do not provide an accurate address or other identifying information, making it difficult for carriers to authenticate an account request”); CTIA Comments at 19-20 (noting that a flexible approach will better serve customers, including pre-paid customers). 27. While the approach we take today gives wireless providers the flexibility to adapt to evolving threats, it also creates an obligation that they adapt to those threats. Specifically, our rule establishes a requirement that wireless providers regularly, but not less than annually, review and, as necessary, update their customer authentication methods to ensure those methods continue to be secure. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14132, para. 27 (seeking comment on how we can account for changes in technology, recognizing that some methods may become hackable over time while additional secure methods of authentication will likely be developed). The record reflects that while many authentication measures may be effective today, evolving tactics may mean those methods will not work tomorrow or in all circumstances. See AT&T Comments at 11 (“While passwords remain a useful and typically effective authentication tool, especially when used in combination with other security mechanisms, that may not be the case in the future. New forms of network-based authentication offer promise for preventing unauthorized access incidents in ways that may be more user-friendly as well.”); Better Identity Coalition Comments at 5-6 (explaining that some forms of multi-factor authentication can be subject to phishing, but other forms are phishing resistant); iProov Comments at 5-7 (explaining that some biometrics can be vulnerable to social engineering and that device-based biometrics are not as secure as cloud-based biometrics). If wireless providers fail to evolve their authentication methods over time, we expect their methods eventually will become ineffective. Therefore, we require wireless providers to regularly, but not less than annually, review their authentication methods, and update them as necessary to ensure that the authentication methods remain effective. 28. Because we impose a general requirement for secure and reasonably designed customer authentication, both permitting and obligating wireless providers to design effective methods to authenticate customers, we decline to enumerate the four specific authentication methods the Commission specified in the SIM Swap and Port-Out Fraud Notice as those that would meet the standard of secure authentication methods. Those four methods were: (i) the use of a pre-established password; (ii) a one-time passcode sent via text message to the account phone number or a pre-registered backup number; (iii) a one-time passcode sent via e-mail to the e-mail address associated with the account; or (iv) a passcode sent using a voice call to the account phone number or a preregistered back-up telephone number. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130, para. 23. No commenters supported our imposing these as the exclusive forms of authentication. We are convinced by the record that specifying approved authentication methods may incentivize wireless providers to rely exclusively on those methods or discourage them from adopting new methods to address evolving techniques used by bad actors. See AT&T Comments at 14 (“The practical effect of the list is that carriers will feel constrained in using non-listed methods for fear that anything else would be unauthorized.”); Better Identity Coalition at 4 (“[W]e have some concerns that if the four authentication methodologies are the only ones listed in the regulation, that it may discourage the use of stronger, more innovative approaches to authentication.”); FIDO Alliance Comments at 3 (arguing that reliance on the four specified authentication methods may disincentive carriers to adopt stronger authentication measures). Further, some commenters assert that requiring specific authentication methods would be burdensome for wireless providers. See AT&T Comments at 13 (explaining that “requiring the use of particular authentication methods for every SIM swap would impose tremendous burdens on carriers and customers without clear additional benefit”); Prove Comments at 2 (“The authentication protocols proposed in the NPRM are, however, overly prescriptive, out-of-date (or soon will be), ineffective, easy to compromise, and overly burdensome for both carriers and consumers.”). Additionally, the record reflects that setting specific authentication methods could provide a roadmap for bad actors seeking to commit fraud. AT&T Comments at 14-15 (“[F]ixed authentication methods for SIM changes and port-outs will provide a roadmap to bad actors”); CTIA Comments at 10-11 (“[I]f every provider authenticates requests in the same way, fraudsters and scammers will find a way around such uniform ‘safeguards.’”). The record also highlights potential vulnerabilities of the four authentication methods we proposed, See Better Identity Coalition Comments at 2-3 (asserting that the four methods we proposed “are all based on authentication methods that are known to be easily compromised” and describing the weaknesses with each); FIDO Alliance Comments at 3-4 (same); Prove Comments at 2-3 (same). which counsels against us codifying these as secure methods of authentication in perpetuity. For these reasons, we conclude it is most appropriate to allow wireless providers to analyze and implement the most effective and secure methods of authenticating customers requesting a SIM change. For similar reasons, we also decline to require carriers to comply with the National Institute of Standards and Technology (NIST) Digital Identity Guidelines or other standards proposed in the record. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14132, para. 28. See CTIA Reply at 18-19 (arguing that while the NIST Digital Identity Guidelines or FIDO Standards might be useful tools, they should not be mandated); Better Identity Coalition Comments at 5 (asserting that while the NIST guidelines are a helpful reference point, they should not be the basis of the Commission’s regulation because they are only updated every 5-7 years and reliance on them “could inadvertently preclude innovation that might better guard against attacks”); iProov Comments at 8; T-Mobile Comments at 13 (asserting that the NIST guidelines are a good reference point for best practices but are not a suitable compliance tool). But see ID.me Comments at 4 (“The FCC should require carriers to comply with NIST SP 800-63-3 IAL2, AAL2, and FAL2 before authorizing SIM Swap and Port-Out transactions.”). 29. We nevertheless place boundaries on the use of certain information for customer authentication for SIM change requests in light of evidence in the record of their particular vulnerability. Namely, we conclude, consistent with our proposal, that methods of authentication that use readily available biographical information, account information, recent payment information, and call detail information do not constitute secure methods of authentication. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14132, para. 30; see also Princeton Comments at 11 (affirming the finding in its 2020 report that biographical information, account information, recent payment information, and call detail information have significant security shortcomings and therefore should not be used as the exclusive means of authentication, individually or in combination with each other). We decline to establish an exigent circumstances exception on the use of this information for authentication for when customers are traveling and may not have access to or remember a PIN, as CTIA asked us to consider. CTIA Nov. 8, 2023 Ex Parte Letter at 8. We believe that such an exception would establish a significant loophole for fraudulent activity and note that in these circumstances, customers can use alternative methods of authentication, such as email. We strongly encourage providers to work with customers to develop backup authentication practices for use in these types of scenarios. We seek comment in the Further Notice on whether we should harmonize our CPNI rules with the SIM change rules we adopt today, and we therefore take no action, at this time, to amend our existing rules to prohibit providers from relying on recent payment and call detail information to authenticate customers for online, telephone, or in-person access to CPNI. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14132-33, para. 30. 30. We decline to restrict the use of SMS-based customer authentication for SIM change requests, but we strongly encourage wireless providers to use this mechanism only when paired with other secure methods of authentication, i.e., as part of multi-factor authentication (MFA). We reject CTIA’s request to remove the language encouraging wireless providers to pair SMS-based authentication with secure methods of authentication and replace it with language encouraging wireless providers to “consider the context in which SMS is deployed, consistent with the discussion in the record” based on the assertion that wireless providers are “are best suited to determine when and how SMS authentication can be securely deployed with their own customers on their own networks.” CTIA Nov. 8, 2023 Ex Parte Letter at 11. The existing language permits providers to make determinations about the best use of SMS-based authentication and simply encourages that it be paired with more secure authentication measures. In the SIM Swap and Port-Out Fraud Notice, we sought comment on the potential security vulnerabilities of SMS-based authentication. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130-31, para. 24. The record clearly expresses concern about the security risks of SMS-based authentication when used by third parties, such as financial institutions, largely because this authentication method becomes vulnerable following fraudulent SIM swaps. See, e.g., BPI/BITS Comments at 2-3 (explaining that a one-time passcode (OTP) sent via SMS can be vulnerable following a fraudulent SIM swap and that “for applications with higher-stakes consumer data such as financial applications, OTP factors remain a target for bad actors”); iProov Comments at 7 (noting SMS-based authentication is vulnerable in part because of SIM swaps, which allow bad actors to intercept calls and messages); CTIA Comments at 5 (“While SMS-based two-factor authentication may be perfectly suitable to some settings, it may not uniformly be appropriate for all types of transactions.”); CTIA Reply at 12 (“SIM cards and the telecommunications accounts associated with them are not always an appropriate method of authentication for third-party apps and services, including organizations like financial and crypto service providers, to rely on to authenticate their end users.”); T-Mobile Comments at 14 (“Entities with sensitive consumer information or assets (e.g., financial services, cryptocurrency wallets, healthcare, insurance, etc.) should be encouraged to use appropriate authentication methods that correspond to the sensitivity of accounts or transactions. SMS as the second factor should not necessarily be the sole authentication method.”); Yubico Comments at 1 (“[A]uthentication based on a person’s phone number that can be SIM Swapped is not a sustainable model due to the fact that the phone number is not fully controlled by the end user.”); FIDO Alliance Comments at 2 (explaining how fraudulent SIM swaps allow criminals and foreign adversaries “to undermine some weaker forms of multi-factor authentication (MFA) such as one-time passcodes (OTPs) transmitted via SMS”); Better Identity Coalition Comments at 2 (noting that attackers trick customers into handing over OTPs sent via SMS when used in other sectors). Several commenters assert that the use of SMS-based authentication by third parties creates significant incentive for bad actors to carry out SIM swap fraud. See, e.g., Better Identity Coalition Comments at 2 (asserting that the fact that SMS “is widely used as an authentication method [by many companies and organizations] has created incentives for criminals to launch SIM Swap attacks”); FIDO Alliance Comments at 3 (“To truly eliminate SIM Swap attacks, the best way to do so is to get companies and organizations to shift from SMS-based authentication to more secure forms of MFA.”); T-Mobile Comments at 14 (“[T]he reliance of financial and cryptocurrency firms on SMS for authentication is driving fraudsters to constantly pursue new avenues of SIM and porting fraud.”). The record evidence is less clear that SMS-based authentication is an insecure mechanism in every instance it is used, such as to authenticate the identity of individuals requesting a SIM change, particularly when sent over a provider’s own network, rather than the Public Switched Telephone Network (PSTN). See, e.g., Verizon Comments at 5 & n.12 (noting that in some cases, SMS “can be an effective authenticator” and that the FTC has found that “in some cases ‘use of SMS text messages as a factor may be the best solution because of its low cost and easy use’” (quoting the FTC’s Safeguards Rule)); AT&T Comments at 6 (noting that “[a]t a higher risk threshold, AT&T uses SMS confirmations ‒ two-way, no charge communications sent to postpaid customers asking them to approve or reject a pending SIM swap or port-out transaction”); Princeton Comments at 3 (“We support allowing SMS and voice call authentication methods when the carrier can deliver the passcode exclusively over its own network and to a specific known device (e.g., smartphone) or point of service (e.g., landline phone) connected to the network and controlled by the customer.”); CTIA Comments at 5 (“SMS text messaging may be an appropriate authentication factor, depending on the nature and the sensitivity of the information being accessed and whether the consumer maintains control over the device and the number associated with it.”); CTIA Reply at 16 (acknowledging that a OTP sent via SMS may not be useful in the case of a lost or stolen phone, but that it “may be perfectly appropriate [for SIM change authentications] when the customer is in possession of the device”). In the SIM Swap and Port-Out Fraud Notice, we highlighted an investigation which found that SMS-based text messages could be easily intercepted and re-routed using a low-cost, online marketing service, but we also explained that wireless providers had reportedly mitigated that vulnerability and no commenters raised this as a concern in the record. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130-31, para. 24. We also acknowledge that, in some instances, it may be the most practical means a provider can authenticate a customer, particularly when considering the needs of a particular customer. See, e.g., CCA Comments at 6 (“[C]ustomers often do not update their carrier with their most recent email addresses or do not regularly check email, whereas a phone number is current and texts are easily accessible. Other carriers have noted that for customers with prepaid accounts, customers often do not provide an accurate address or other identifying information, making it difficult for carriers to authenticate an account request with this kind of information.”); CTIA Reply at 16 (“[T]he record makes clear that customer needs vary, for example as between consumer and business customers, and that those variable customer needs inform authentication practices.”). We recognize that SMS-based authentication also is a common authentication method used by wireless providers. See, e.g., AT&T Comments at 6 (“AT&T routinely uses a one-time PIN delivered via SMS message or an outbound voice call to a postpaid customer’s device for enhanced customer validation, including with SIM swaps.”); CCA Comments at 3 (noting that two-factor authentication with a OTP sent to a phone number is “among the procedures that already are gaining prevalence” by wireless providers and noting that several of CCA’s members prefer text messages for authentication purposes); CTIA Comments at 3-4 (noting that some wireless providers combat SIM swap and port-out fraud by “[e]mploying multi-factor authentication when account changes are requested, including one-time passcodes sent via text message”). We anticipate that the approach we take here strikes the right balance between protecting customers against SIM swap fraud while preserving the relative ease with which customers can obtain legitimate SIM changes. We emphasize, however, that our rules create an ongoing obligation that wireless providers ensure the authentication methods they use are secure. Accordingly, permitting wireless providers to use SMS-based authentication does not create a safe harbor for use of this authentication method. We will continue to monitor the use of SMS-based authentication and may later revisit our decision to permit its continued use. Princeton Comments at 3 (“Commission staff should periodically revisit the security of these authentication methods and reevaluate whether to retain them.”). 2. Response to Failed Authentication Attempts 31. We require wireless providers to develop, maintain, and implement procedures for responding to failed authentication attempts in connection with a SIM change request that are reasonably designed to prevent unauthorized access to a customer’s account, which, among other things, take into consideration the needs of survivors pursuant to the Safe Connections Act and our implementing rules. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 33; Princeton Comments at 7. See also 47 U.S.C. § 345; 47 CFR § 64.6402(b) (a covered provider shall attempt to authenticate, using multiple methods if necessary, that a survivor requesting a line separation is the user of a specific line); 47 CFR § 64.6402(i) (a covered provider shall not notify a primary account holder of a survivor’s request for a SIM change when made in connection with a line separation request pursuant to 47 U.S.C. § 345 and this subpart). We are bolstered by the Princeton University researchers who found evidence that wireless providers’ procedures to respond to suspicious authentication attempts may be inadequate or nonexistent. See Princeton Comments at 7 (“We saw no evident response from carriers to our suspicious customer authentication attempts.”). Specifically, they determined that some wireless providers only required callers to successfully respond to one authentication challenge to obtain a SIM change even if the caller had failed numerous previous authentication attempts. Lee et al. at 62; see also Princeton Comments at 6 (“[W]e found that carriers did not implement adequate safeguards for preventing an attacker from repeatedly calling customer service and attempting a SIM swap.”). While the SIM Swap and Port-Out Fraud Notice raised these issues, no commenters offered evidence to counter the researchers’ findings. Without procedures in place to respond to failed authentication attempts, bad actors can seek to circumvent wireless provider authentication mechanisms to fraudulently obtain a SIM change. We anticipate that requiring wireless providers to establish procedures to respond to failed authentication attempts that are reasonably designed to prevent unauthorized access to a customer’s account will impede these fraud attempts. We conclude that whatever burdens may be associated with this requirement are outweighed by the Commission’s interest in protecting customers against fraudulent activity. 32. At the same time, we are persuaded by T-Mobile’s argument that wireless providers need flexibility with respect to failed authentication attempts because it is common for customers to lose or forget their authentication data, leading to multiple failed attempts. T-Mobile Comments at 7. As such, we decline at this time to adopt prescriptive requirements for how wireless providers must respond to failed authentication attempts in connection with a SIM change request. We find that anchoring this rule in a reasonableness standard will give wireless providers flexibility to design procedures to handle failed authentication attempts that protect against fraudulent activity while preventing unnecessary burdens on legitimate customer activity. See CTIA Reply at 23 (calling for any adopted rules related to failed authentication attempts to be “based on a reasonableness standard, as it would promote robust authentication practices through a flexible, risk-based lens”); Princeton Comments at 6-7 (recommending that the Commission “require that the procedures be reasonably designed to prevent unauthorized access to a customer’s account”). We decline, however, to adopt CTIA’s suggestion to require the development and implementation of such procedures only where a wireless provider has reason to believe multiple authentication attempts are fraudulent; CTIA does not address how such determinations would be made absent the very procedures we require. 33. We decline, at this time, to adopt a requirement that wireless providers immediately notify customers in the event of multiple failed authentication attempts in connection with SIM change requests. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 33 (seeking comment on potential delay and notification requirements in the case of multiple failed authentication attempts). Industry commenters assert that “in many cases, providers will not be able to discern whether a failed authentication attempt is ‘in connection with a SIM change request’ or some other type of transaction involving account access for which authentication is needed and fails,” and that “a carrier does not typically know why a customer authenticates until after the customer has successfully authenticated.” CTIA Nov. 8, 2023 Ex Parte Letter at 6-7; AT&T Nov. 8, 2023 Ex Parte Letter at 3. Further, commenters raise concerns that tracking such attempts across platforms could be technically challenging, See T-Mobile Comments at 12 (asserting that it would be technically difficult to track multiple failed authentication attempts because users attempt to access their accounts across various platforms, such as over the phone, online, or in retail stores run by the carrier or a third party); CTIA Comments at 16 (“[D]eveloping procedures to track multiple failed authentication attempts as contemplated in the NPRM would be challenging for providers, as authentication attempts may occur across different settings (e.g., in person, online, or over the phone) and they may occur at disparate times.”). though we are not persuaded that doing so is technically infeasible. For example, CTIA’s proposal that carriers should only be required to develop and implement procedures for responding to multiple failed authentication attempts “where a carrier has reason to believe such attempts are fraudulent” implies that wireless carriers can and do track multiple authentication attempts, or, at a minimum, are technically capable of doing so. Given these concerns, we find that requiring wireless providers to notify customers immediately of multiple failed authentication attempts associated with a SIM change request is not appropriate at this time. However, we seek comment in the Further Notice below whether we should require wireless providers, or all telecommunications carriers, to notify customers immediately of all failed authentication attempts to help protect customers from account fraud, as well as how wireless providers could implement a customer notice requirement for multiple failed authentication attempts. 34. We also decline to require that wireless providers delay SIM changes for 24 hours in the event of failed authentication attempts while notifying customers via text message and/or email regarding the failed authentication attempts. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 33 (seeking comment on potential delay and notification requirements in the case of multiple failed authentication attempts). The record reflects that strict requirements involving 24-hour delays or account locks could be overly burdensome for customers that are engaged in legitimate SIM changes. See NCTA Comments at 6 ( “[F]orcing providers to lock a customer out of their own account for a certain amount of time can arbitrarily punish customers who are less adept at navigating the authentication process and proving their identity in a secure way.”); AT&T Comments at 2-3; CTIA Comments at 16; T-Mobile Comments at 7. We also anticipate that the requirement to develop, maintain, and implement procedures for responding to failed authentication attempts in connection with a SIM change request that are reasonably designed to prevent unauthorized access to a customer’s account, coupled with the requirement we adopt below that wireless providers immediately notify customers upon receiving a SIM change request, will be sufficient to empower customers to quickly address unauthorized SIM change attempts. 3. Customer Notification of SIM Change Requests 35. To provide customers with an early warning that their account may be subject to fraudulent activity, we adopt our proposal to require wireless providers to provide immediate notification to customers of any requests for a SIM change associated with the customer’s account SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 34. and specify that the notification must be sent before a wireless provider effectuates a SIM change, except to the extent otherwise required by the Safe Connections Act of 2022 (47 U.S.C. § 345) the Commission’s rules implementing that statute. See Safe Connections Order, FCC 23-96, at para. 77 and Appx. A (new 47 CFR § 64.6402(i)) (prohibiting a covered provider from notifying a primary account holder of a survivor’s request for a SIM change when made in connection with a line separation request pursuant to 47 U.S.C. § 345 and the implementing rules). The record evinces firm support for this requirement See, e.g., Princeton Comments at 7 (“We support the Commission’s proposal requiring customer notification for SIM swap attempts.”); T-Mobile Comments at 2 (“The Commission should adopt its proposal to require reasonable efforts to notify users of port-out requests and SIM changes.”); DC Stone Comments (Express) (“At the consumers[’] option, no SIM porting should be permitted without first sending a notifying email (or SMS message) to a prearranged contact email address (or phone number).”); see also Verizon Comments at 6 (“[N]otifying the customer of attempted and/or executed SIM changes, can be useful tools in some cases.”). and provides good reason—time is often of the essence with SIM swap fraud, and notifying customers of a SIM change request before effectuating the request will enable customers to act promptly to mitigate damages and inconvenience resulting from fraudulent or inadvertent SIM changes. See Princeton Comments at 7 (asserting that notice of a SIM swap attempt is “essential, so that a customer can take prompt action to protect their telecommunications account (e.g., updating a compromised password), their other accounts (e.g., stopping a fraudulent payment), and their devices (e.g., removing malware from a compromised device)”); Prove Comments at 2, 6 (asserting that “consumers should receive timely notice of high risk events such as SIM swaps and port-out requests, and be afforded the opportunity to prevent account takeovers before they are completed”); Andreas Carlos Freund Comments (Express) (“Strengthening these rules will . . . ensure customers are apprised of an attempted attack, so that they can take additional measures to protect their privacy.”); see also 2007 CPNI Order, 22 FCC Rcd at 6942, para. 24 (explaining that, with respect to other types of account changes, the Commission has found that notification is an important tool for customers to monitor their account’s security and enables them to take appropriate action in the event of fraudulent activity). We also expect that requiring notification before the request is processed will prevent the notification from being sent to the bad actor after a SIM swap has occurred. For these reasons, we agree with Princeton University that “[t]here is an unambiguous and material security upside,” to immediate customer notification of SIM change requests, and “the only downside is a very infrequent notification that the customer can easily discard” for legitimate requests. Princeton Comments at 7. 36. We therefore disagree with AT&T’s contention that notification of all SIM change requests is unnecessary because “AT&T employs various tools to assess the risk level of a particular postpaid SIM change or port-out request and very often can determine at the outset that a request is legitimate.” AT&T Comments at 15. The notification requirement we adopt today will provide a uniform safety measure for all requests across the mobile wireless industry, which we anticipate will reduce the instances and mitigate the harms of SIM swap fraud. We also disagree with AT&T’s assertion that customers will become so inundated with SIM change notifications that they will “eventually become numb or immune to them or tire of and consciously choose to ignore them, thus undermining all value they might otherwise have when the threat of fraud is real.” AT&T Comments at 15; see also CTIA Comments at 18 (asserting that notifications can be appropriate in “many instances” but that notifications “must be weighed against other goals, and in general, avoid unnecessary friction in the user experience or other unintended consequences, such as notice fatigue”). Nothing in the record, or our understanding of the SIM change process, supports the notion that customers request SIM changes at such a rate that, upon the adoption of this rule, wireless providers will be forced to inundate their customers with the required notifications. See Princeton Comments at 7. For the same reasons, we decline AT&T’s request that we modify the mandatory SIM change request notification requirement “either to 1) standalone SIM transactions—i.e., SIM swaps that do not include a device change or upgrade—based on the lower propensity for fraud in transactions involving new devices, or 2) SIM transactions that a carrier identifies as having a high propensity for fraud,” on the basis such notifications could cause customer confusion, concern, and fatigue, and could increase costs for carriers because such notifications increase customer calls. Letter from Caroline Van Wie, Vice President, Federal Regulatory, AT&T, to Marlene Dortch, Secretary, FCC, WC Docket No. 21-341, at 3 (filed Nov. 8, 2023) (AT&T Nov. 8, 2023 Ex Parte Letter); see also CTIA Nov. 8, 2023 Ex Parte Letter at 8 (requesting similar SIM transaction notification limitations as AT&T). 37. Also contrary to AT&T’s assertions, See AT&T Comments at 15 (asserting that a notice requirement would impose burdens on wireless providers). we do not anticipate that the notification requirement we adopt today will be overly burdensome for wireless providers to implement. As an initial matter, wireless providers should already have processes in place to immediately notify customers of certain account changes involving CPNI in accordance with our existing rules, 47 CFR § 64.2010(f); 2007 CPNI Order, 22 FCC Rcd at 6942, para. 24 (requiring carriers to “notify customer immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed”). so they should be able to build on these processes to provide immediate notification regarding SIM change requests. The record also demonstrates that some wireless providers already notify customers of SIM change requests in most instances and therefore will only need to update their processes to notify customers in all cases. See AT&T Comments at 6 (explaining that for transactions meeting a certain threshold of AT&T’s “risk model,” it will send one-way SMS notifications of a SIM change request, and for transactions meeting a higher risk threshold, it will require customers confirm the SIM change request via an SMS notification); T-Mobile Comments at 4 (noting that as part of its efforts to “help customers secure their accounts, T-Mobile notifies customers of account changes and requests”); Verizon Comments at 6 (“Verizon already employs (or is on track to employ) many of the methods identified in the NPRM, such as notifying customers of high-risk SIM change authentication attempts, failed or otherwise, and of other account changes.”); CTIA Comments at 18 (explaining that “there are many instances where notifications to consumers are appropriate and providers can and do make reasonable efforts to provide them”). Additionally, as discussed below, we give wireless providers flexibility on how to provide the required notifications, which we expect further minimizes any potential burdens associated with our new rule. For the same reasons, we decline CTIA’s request “to let providers determine whether a notice is warranted or effective in the first instance” on the basis that such flexibility is needed to deal with instances, for example, when a phone is lost or stolen and expedient forms of notification may not be available. CTIA Nov. 8, 2023 Ex Parte Letter at 8. We do not prohibit wireless providers from processing SIM change requests after the notification is sent, and because bad actors may attempt to commit SIM swap fraud by claiming that a device is lost or stolen, that is precisely the type of situation when we want to ensure customers are provided a notification of a SIM change request. In any event, we find that the benefits of our notification requirement outweigh the potential burdens. 38. We permit wireless providers to determine the method of providing notifications regarding SIM change requests involving a customer’s account, but specify that the notifications must be reasonably designed to reach the customer associated with the account, SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134, para. 36. Our rule does not impose a duty on carriers to confirm that the notification has been received and read by the actual customer and therefore it does not impose strict liability on carriers if the notification fails to reach the customer or require carriers to wait to complete a SIM change after delivering a notification. See AT&T Comments at 16. and sent in accordance with customer preferences, if indicated. For example, this would include delivering a notification in the language of the customer’s choosing, if the wireless provider permits communications preferences in other languages and the customer has previously indicated such choice. Although some commenters suggest that we should specify the means by which a wireless provider should deliver SIM change request notifications, See, e.g., Princeton Comments at 7; Prove Comments at 6; DC Stone Comments (Express). we agree with industry commenters that providers need flexibility to determine the most appropriate method to notify their customers of a pending SIM change request, See, e.g., AT&T Comments at 16; T-Mobile Comments at 2; CTIA Reply at 23. so that providers can account for “the complexities of notifications in various contexts,” CTIA Comments at 18. See also AT&T Comments at 16 (“[C]arriers should be permitted to communicate with their customers via the means they deem to be most effective in a particular context.”). Our rule also gives carriers the flexibility to design a notification process that accommodates scenarios beyond individual customers, such as a business customer seeking bulk SIM changes to upgrade their equipment. We note that nothing in the customer safeguard rules we adopt today is inconsistent with or intended to supersede the Commission’s existing business customer exemption, which permits telecommunications carriers to “bind themselves contractually to authentications regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers’ protection of CPNI.” 47 CFR § 64.2010(g); see also CTIA Nov. 8, 2023 Ex Parte Letter at 10-11. as well as the technical capabilities, accessibility needs, or broadband access of individual customers. For example, when a customer is requesting a SIM change because the customer’s phone is lost or stolen, our flexible approach enables wireless providers to use methods of notification that are most likely to reach the customer under those circumstances, such as an email or a text or call to a pre-determined back-up phone number. See CTIA Comments at 18 (noting that “where a phone is lost or stolen, certain notifications will not reach consumers”). We also aim to enable wireless providers to send notifications in accordance with customer preferences, needs, and established expectations. See T-Mobile Comments at 6-7 (encouraging the Commission to consider rule changes that meet “legitimate customer needs” and “promote diversity, inclusion, and accessibility of wireless services”); id. at 9 (asserting that the method of customer notification “should be flexible and reflect customers’ preferences”); AT&T Comments at 11 (noting that “[c]ustomer needs also vary. AT&T provides customers a range of products and services to meet different wireless communications needs. The diverse characteristics of these customers and the products and services they utilize lend themselves to different risk-management approaches.”). As such, we permit wireless providers to use existing methods of notification that are reasonably designed to reach the customer associated with the account, Such methods include, but are not limited to, live or automated telephone calls, text messages, emails, or push notification through wireless provider software applications. See, e.g., Verizon Comments at 6 (“Providers also should have discretion to use a push notification together with supplemental verification methods to stop a high risk transaction.”). and we encourage them to adopt new notification methods as they are developed to stay responsive to evolving fraud schemes. We acknowledge that our new rule differs from our existing rule that providers deliver notification of other account changes involving CPNI, which specifies that those notifications may be delivered through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record. 47 CFR § 64.2010(f). We seek comment in the Further Notice on whether we should harmonize our CPNI rules with the SIM change rules we adopt today, including for notifications. We find that departing from the existing rule’s approach is appropriate given the depth of harm that can occur from SIM swap fraud, the need for wireless providers to be able to choose the most effective method of quickly alerting customers so that customers can take action to mitigate harm, and the importance of providers adopting new forms of notification. 39. We also decline to prescribe particular content or wording of SIM change notifications, recognizing that wireless providers are in the best position to determine what will most effectively notify customers of SIM change requests and potential fraud and will need to tailor notifications to customers’ service plans and circumstances. T-Mobile Comments at 10 (asserting that the “the exact language should be customizable by the carrier to account for the type of request, brand, product, and other factors”); see also Verizon Comments at 6 (“Prescriptive rules for the content . . . of the notification are unnecessary.”). Nevertheless, consistent with the record and our CPNI rules, we specify that such notifications must use clear and concise language that provides sufficient information to effectively inform a customer that a SIM change request involving the customer’s SIM was made. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 34 (seeking comment on a notification requirement); Appx. A (47 CFR § 64.2010(h)(3)). Cf. 47 CFR § 64.2008(c) (stating the CPNI notices must be comprehensible); T-Mobile Comments at 10 (asserting that notifications should be “clear and specific”). We observe that our rule does not prohibit wireless providers from using different content and wording for notifications depending on a provider’s risk assessment of a given SIM change request, so long as the notification uses clear and concise language and is reasonably designed to reach the actual customer. See AT&T Comments at 15 (describing AT&T’s existing risk-based approach for providing SIM change notifications). 40. We further decline to require a delay for customer verification or acknowledgement in connection with notifications prior to completing a SIM change request. In the SIM Swap and Port-Out Fraud Notice, we sought comment on whether we should require a 24-hour delay (or other period of time) before a wireless provider effectuates a SIM change while notifying the customer via text message, email, the provider’s app, or push notification, and requesting verification of the request. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134, para. 37. This approach received minimal support in the record, See, e.g., Robert Ross Comments at 1; DC Stone Comments (Express); see also Prove Comments at 6-7 (suggesting that a short delay may be appropriate to allow customers to terminate a SIM change request but arguing against a long delay because it would “impose unnecessary inconveniences and costs on consumers”); T-Mobile Comments at 10 (explaining that notifications of SIM change requests could seek verification from customers but also arguing that carriers should be permitted to process requests if it does not receive a response within a certain amount of time). and we are convinced by other record evidence that the burdens of delay and verification requirements outweigh the benefits, particularly given how regularly customers seek legitimate SIM changes. For instance, CTIA explains that a blanket delay would “make it exceedingly difficult for a consumer to obtain a new phone and continued service when a device breaks or is lost, representing a full day where that consumer could not rely on their wireless service for . . . ‘keeping in touch with friends through voice calls and text messages’ [and] placing life-saving public safety calls.” CTIA Comments at 9 (cleaned up). AT&T and T-Mobile echoed these concerns. AT&T Comments at 17-18 (“[F]orcing a customer with a lost, stolen, or damaged phone to wait 24 hours (or just a few hours for that matter) before obtaining an active replacement would at best frustrate the consumer . . ., and, at worst, threaten the customer’s safety and impair her ability to engage in commerce, work, and education.”); T-Mobile Comments at 9 (“A 24-hour delay could cause hardship for customers with legitimate reasons to request the swap, such as a lost, stolen, or damaged phone.”). We also anticipate that the authentication, notification, and remediation requirements we adopt today will sufficiently mitigate fraudulent SIM change requests without the need for a burdensome delay and verification process. While we do not require wireless providers to implement a delay and verification process, we permit them to do so in instances when they determine these measures are necessary to protect against fraud, CTIA Comments at 9 (asserting that a delay “may be appropriate in some situations and could help to prevent fraud while balancing important service goals” and that “the Commission should clarify that providers have flexibility to implement such delays as appropriate to address the unique circumstances of any given request or consumer”); T-Mobile Comments at 9 (explaining that verification “would help provide increased security for customers” in some circumstances). but stress that this process should not be used to delay legitimate SIM change requests. 4. Account Locks for SIM Changes 41. We require wireless providers to offer all customers, at no cost, the option to lock or freeze their account to stop SIM changes. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14135, para. 39. We adopt our proposal that account locks must be offered to all customers at no cost because we find that a customer’s financial means should not dictate their access to this enhanced security measure, particularly since customers with lesser financial means may suffer the greatest consequences of SIM swap fraud. This requirement is consistent with other Commission rules governing preferred carrier freezes for Local Exchange Carriers, see 47 CFR § 64.1190, as well as the requirements adopted for port-out locks, infra section III.B.3. To simplify the ability for customers to take advantage of account locks for SIM changes and number ports, we encourage wireless carriers to offer customers the ability to activate both locks in one step. We anticipate that this requirement will provide customers with more consistent and meaningful protection against SIM swap fraud, and this expectation is supported by the record, which reflects that account locks can be powerful tools against SIM swap fraud, particularly for customers that are at high-risk of being a target of the practice. See BPI/BITS Comments at 3-4 (supporting “the FCC’s suggestion to place control of the ability to manage SIM changes requested by telephone and/or online access in the hands of the consumer, likely on their very device” and arguing that “this consumer-managed protection is an additional layer of security”); DC Stone Comments (Express) at 1 (arguing that the Commission should “[r]equire that account freezes be made available for any consumer phone account” as “an effective tool for concerned or savvy consumers to prevent unauthorized account activity and especially fraud, just as with credit reporting agencies”); NCLC/EPIC Comments at 11 (explaining that the ability to lock one’s own account “may provide meaningful protections” and “is an excellent way for an individual consumer to guard against fraud”); but see AT&T Comments at 17 (stating that “[a]ccount locks can be an effective tool to increase the security of customer accounts on occasion,” but opposing that carriers be required to offer them in all instances). 42. Like the other rules we adopt today, we give wireless providers flexibility on how to comply with this measure. In particular, the record does not evince a need for us to prescribe a method or methods for customers to unlock their accounts or impose a waiting period before an unlocked account can be transferred, and as such, we decline to do so at this time. We do require, however, that the process to activate and deactivate an account lock must not be unduly burdensome for customers such that it effectively inhibits them from implementing their choice. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14135, para. 39. Additionally, we stress that when activated, wireless providers must not fulfill SIM change requests until the customer deactivates the lock, Id. except to the extent otherwise required by the Safe Connections Act or the Commission’s rules implementing that statute. See 47 U.S.C. § 345(b)(2) (prohibiting carriers from making valid line separation requests from survivors of domestic violence contingent on any requirement or limitation); Safe Connections Order, FCC 23-96, at para. 76 and Appx. A (new 47 CFR § 64.6402(l)) (requiring a covered provider to effectuate a legitimate line separation request, and any associated number port and SIM change requests, regardless of whether an account lock is activated on the account); id. at Appx. A (new 47 CFR § 64.6402(k)) (requiring that as soon as feasible after receiving a legitimate line separation request from a survivor, a covered provider shall lock the account affected by the line separation request to prevent all SIM changes, number ports, and line cancellations other than those requested as part of the line separation request pursuant to 47 U.S.C. § 345 and the Commission’s rules until the request is processed or denied). We find that the account lock requirement is technically feasible, particularly given evidence that some wireless providers already offer this feature to customers. See T-Mobile Comments at 4 (“[F]or most types of customers, T-Mobile can institute a ‘SIM change block’ that helps protect the customer’s SIM from being used in other devices.”); NCTA Comments at 4-5 (“Wireless providers already engage in many [measures to prevent to prevent SIM swap and port-out fraud] today, including . . . providing the ability to lock or freeze wireless accounts.”); CTIA Reply at 26-27 (“The record demonstrates that absent a requirement, many providers already offer account freeze options to their customers.”); CCA Comments at 3-4 (describing T-Mobile’s free service called “Account Takeover Protection” which “blocks unauthorized users from porting numbers and allows only the billing responsible party to turn the feature off”); see also Verizon, Additional Support Information, https://www.verizon.com/support/port-out-faqs/#setup-freeze (last visited Oct. 18, 2023) (offering a “Number Lock” service that is a customer-managed porting freeze option accessible by dialing 611 or through the MyVerizon app); T-Mobile, Account Takeover Protection by T-Mobile, https://www.t-mobile.com/support/plans-features/account-takeover-protection (last visited Oct. 18, 2023) (providing information on account its Account Takeover Protection feature, which “adds additional security to your account by blocking unauthorized users from transferring your lines to another wireless carrier”). Additionally, we are unpersuaded by AT&T’s claim that “building a system that is capable of widespread adoption of [account locks] would entail significant carrier costs and time for questionable gain.” AT&T Comments at 17. We anticipate that because of these existing account lock offerings and the flexible approach we take, the rule will not be unduly costly for wireless providers to implement, and that to the extent there are costs associated with the requirement, they are outweighed by the associated benefits of preventing fraudulent activity. 43. Consistent with this flexible approach, we permit wireless providers to proactively initiate a SIM swap lock on a customer’s account when a provider believes the customer may be at high risk of fraud. We are persuaded by T-Mobile’s assertion that such capability is valuable because wireless providers are sometimes positioned to know when a customer is at high risk of SIM swap fraud and that this tool allows them to help customers secure their accounts. See T-Mobile Comments at 2, 4. However, we require that wireless providers promptly provide clear notification to the customer that the lock has been activated with instructions on how the customer can deactivate the account lock if the customer chooses, and to promptly comply with the customer’s legitimate request to deactivate the account lock. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14135, para. 39. We also caution wireless providers that any proactive initiation of a SIM change lock must be limited in duration and extend only so long as the high risk of fraud is evident to the provider.  In establishing this limitation, we intend to prohibit wireless provider abuse of SIM change locks to avoid, among other outcomes, preventing the customer from terminating service with the provider or moving to another competing provider. 44. Given the protection that account locks can provide to customers, we conclude that it should be offered to customers of both pre-paid and post-paid services. DC Stone Comments (Express) at 1 (arguing that account locks must be available for any customer account, including pre-paid accounts); cf. Verizon Comments at 4 (“A service provider will have limited information about the prepaid customer, and in many cases, about the customer’s device. Even so, Verizon only allows authentication using reliable, available methods, and has begun integrating systems used for postpaid customers to further align and improve our methods to prevent . . . fraudulent activity.”). We are unpersuaded by AT&T’s assertion that pre-paid service is not amenable to account locks because “[s]ome prepaid customers provide little personal information when they activate their account,” which could make it difficult to authenticate a customer to unlock an account. AT&T Comments at 17; see also CTIA Comments at 15 (asserting that account locks “may negatively impact pre-paid customers whose devices are lost or stolen, as the pre-paid market offers consumers the option to purchase service with less identifiable information than post-paid, and thus information that may be necessary to deactivate a freeze may not have been provided when an account is initialized. Thus this may limit a consumer’s ability to remove a freeze and validate an account where the consumer does not have a working device.”). Because the account lock is an optional security measure for customers, wireless providers can, if necessary, require customers to provide information to use for authentication purposes to activate the account lock. 45. We also disagree with AT&T that an account lock option “should remain a tool that carriers can choose, but are not required, to offer.” AT&T Comments at 17; see also CTIA Reply at 26-27 (arguing that “the Commission should allow wireless providers the flexibility to facilitate choice and competition for all customers when it comes to account freezes” and not require providers to offer account locks). AT&T acknowledges that “[a]ccount locks can be an effective tool to increase the security of customer accounts on occasion,” but it suggests that because “they are not needed to manage the risk of fraud in every case and for every customer,” wireless providers should not be required to offer them to all customers. AT&T Comments at 17. While AT&T’s approach would leave the choice of whether an account lock is necessary exclusively in the hands of wireless providers, we conclude this choice should be placed principally in the hands of the customer, See BPI/BITS Comments at 3-4 (expressing support for requiring carriers to offer account locks because it “place[s] control of the ability to manage SIM changes requested by telephone and/or online access in the hands of the consumer”). the party that is potentially at risk for SIM swap fraud, and therefore we require providers to offer the option to all customers. Likewise, AT&T’s concern that “an account lock can be a source of friction” even for a postpaid customer when the “customer forgets having placed the freeze on the account or dislikes the efforts needed to unfreeze the account” AT&T Comments at 17. is not, we conclude, a valid basis for declining to require that wireless providers offer SIM change locks. The benefits of this account security measure outweigh any potential friction, and we expect that wireless providers can take steps to mitigate any such friction if they choose, such as by providing customers with periodic reminders that they have activated the account lock and on how they can deactivate the lock. Because of the authentication challenges for pre-paid customers and the potential friction for customers who may not want SIM changes to be more difficult, we decline to require account locks be activated by default, on an opt-out basis, as BPI/BITS suggests. BPI/BITS Comments at 3-4. We are also unconvinced by comments claiming that SIM change locks may be of limited value to customers. NCLC/EPIC Comments at 11-12 (“Disclosures and the ability to freeze one’s account are valuable only to those consumers who are savvy enough to a) understand the dynamics involved in freezing, b) understand that the benefits of freezing outweigh the extra burdens imposed (such as requiring that the consumer go through a series of steps to unfreeze the account, and c) actually follow through and freeze one’s account.”); Verizon Comments at 5 (“[A]n account freeze or lock may be superfluous or of limited interest to consumers given the corresponding need for rigorous authentication to remove the freeze or lock.”). This requirement empowers high-risk and security-minded customers to enable additional protections beyond the enhanced authentication requirements and other security measures we adopt today, and it need not be activated by a large percentage of customers for it to be valuable. 5. Tracking Effectiveness of SIM Change Protection Measures 46. We require wireless providers to establish processes to reasonably track and maintain information regarding SIM change requests and their authentication measures, and to retain that information for a minimum of three years. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14136, para. 43 (seeking comment on whether to require carriers to track data regarding SIM swap complaints). We agree with the Princeton University researchers that a tracking requirement will equip wireless providers “to measure the effectiveness of their customer authentication and account protection measures,” See Princeton Comments at 12; see also CTIA Nov. 8, 2023 Ex Parte Letter at 9-10 (requesting that we modify the recordkeeping requirements to incorporate a reasonableness standard on the basis that such a change will still permit the FCC to accomplish its goals while recognizing that providers may not be able to accurately capture all the information required in every instance); CCA Nov. 9. 2023 Ex Parte Letter at 2 (same). and find that they would not otherwise be able to do so effectively without collecting such information. Consistent with recommendations in the record by the Princeton University researchers, we specifically require wireless providers to collect and maintain the following information regarding SIM change requests and authentication measures: the total number of SIM change requests, the number of successful SIM changes requests, the number of failed SIM change requests, the number of successful fraudulent SIM change requests, the average time to remediate a fraudulent SIM change, the total number of complaints received regarding fraudulent SIM changes, the authentication measures the wireless provider has implemented, and when those authentication measures change. See id. The requirement that wireless providers collect and maintain information regarding when authentication measures change simply means that providers must track the introduction and removal of such measures, and not updates or refinements to existing measures. We also strongly encourage them to collect and retain any additional information that will help them measure the effectiveness of their customer authentication and account protection measures. We find that the three-year retention period is appropriate because it allows providers to track the effectiveness of their measures over time and ensures the information is available for a sufficient time should the Commission request it for review. 47. We disagree with CTIA’s assertions that a recordkeeping requirement will divert resources from combating incidences of SIM swap fraud. CTIA Reply at 24-25 (“Others call for overly onerous reporting and recordkeeping requirements. These types of rules would require wireless providers to divert resources from protecting customers to looking in the rearview mirror.”). Instead we find that this data tracking requirement is critical to wireless providers’ efforts to keep ahead of evolving fraud techniques. And the record reflects that some wireless providers already track and analyze information regarding SIM swap fraud and their account protection measures to improve those measures, See AT&T Comments at 2 & 7-8 (indicating that it has tracked the total instances of SIM swap fraud and that it “continually assesses the effectiveness of its countermeasures and refines them over time as needed”); T-Mobile Comments at 6 (“T-Mobile engages in ongoing, proactive threat evaluation, and information collection on threats and fraud for internal purposes.”); CTIA Reply at 1 (stating that its members report tracking the number of legitimate SIM swaps). indicating that this is a practical and cost-effective practice. Thus, while we recognize that this recordkeeping requirement may not be without cost, particularly for wireless providers who do not already collect such information, we find that the benefits of this requirement far exceed any potential costs. 48. We agree with CTIA that the data tracking and retention requirements should only be prospective in nature, Compare CTIA Reply at 24-25 (explaining that if the Commission adopts recordkeeping requirements, it should be prospective) with Princeton Comments at 12 (“We encourage the Commission to also consider collecting a limited amount of historical data on SIM swaps and port-outs, to understand how trends in customer use and fraudulent activity are affected by changes in authentication requirements.”). and as such, we make clear that our rule does not obligate wireless providers to research and collect historic data. We conclude that including historic data in the data tracking requirements we adopt would be burdensome, or even impossible, for small wireless providers and those who do not already track this information. See, e.g., CTIA Reply at 25. 49. We decline to adopt reporting and audit requirements in conjunction with our data tracking requirement, See Princeton Comments at 12 (suggesting that carriers should be required to track and report information on SIM swap and port-out fraud to the Commission); NCLC/EPIC Comments at 6 (arguing that carriers should include information regarding SIM swap and port-out fraud in annual reports to the Commission); Robert Ross Comments at 8 (arguing that “[c]arriers must be required to report all SIM swaps and Port-outs on a monthly basis to the FCC” and undergo annual independent audits). but we do require wireless providers to make the information they collect available to the Commission upon request. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14136, para. 43. Because the information we require wireless providers to collect does not include personally identifiable information (PII) or CPNI, wireless providers will not be required to provide PII or CPNI in response to Commission requests for this information, but the Enforcement Bureau may request PII or CPNI in the course of a specific investigation. Although regular reporting and audit requirements can improve wireless provider incentives and accountability, we do not find that such measures are necessary at this time in light of the other measures we adopt today and providers’ ongoing commitment to be vigilant in combating fraud. AT&T Comments at 1 (“AT&T is committed to protecting its customers and deterring bad actors intent on misusing processes designed for consumer benefit to inflict harm.”); T-Mobile Comments at 8 (“T-Mobile remains vigilant in its efforts to evolve its safeguards to prevent fraud.”); CTIA Comments at 3 (“The wireless industry and the Commission share the goal of protecting consumers from fraud—full stop.”). We maintain the ability to obtain collected information from wireless providers as needed, not only as a potential tool to evaluate whether providers are implementing sufficient measures to address SIM swap fraud, but also to evaluate whether the specific requirements we adopt today continue to be effective or in need of updates to address the evolution of fraud techniques. Consequently, we find that there are insufficient benefits of a regular reporting requirement to outweigh the potential costs. 6. Safeguards on Employee Access to CPNI 50. We require wireless providers to establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI in the course of that customer interaction until after a customer has been properly authenticated. See Appx. A (revised 47 CFR § 64.2010(h)(1)); SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134, para. 38 (seeking comment on whether the Commission should “require carriers to modify customer record systems so that customer service representatives are unable to access CPNI until after the customer has been properly authenticated”); see also Letter from Glenn S. Richards, Counsel for Voice on the Net Coalition (VON), to Marlene H. Dortch, Secretary, FCC, WC Docket No. 21-341 (filed Nov. 7, 2023) (VON Nov. 7, 2023 Ex Parte Letter) (recommending that the Commission make clear that its rule regarding employee access to CPNI apply only to inbound customer support requests to ensure that technical support personal, customer success managers, and other support personnel have appropriate access to support the communications service); CTIA Nov. 8, 2023 Ex Parte Letter at 5 (encouraging the FCC to make clear that the employee access limitations apply to employees who are interacting directly with a customer in the course of that interaction, raising concerns that a broader application could be read to prevent providers’ employees from accessing CPNI outside the context of a direct customer interaction); CCA Nov. 9. 2023 Ex Parte Letter at 2 (similar); Letter from Jill Canfield, General Counsel, VP of Policy, NTCA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 21-341, at 1-2 (filed Nov. 8, 2023) (NTCA Nov. 8, 2023 Ex Parte Letter) (similar). We find, based on the record before us, that requiring wireless providers to limit access to CPNI by employees who receive inbound customer communications until after the customer has been properly authenticated will help to minimize the incidences of SIM swap fraud by preventing customer service representatives from inadvertently or intentionally assisting bad actors in fraudulent schemes. See, e.g., Princeton Comments at 8; NCLC/EPIC Comments at 8-9. We are persuaded that, even with the customer service representative training requirements we adopt today, See infra section III.C (establishing requirements that carriers develop and implement training for customer service representatives to specifically address fraudulent SIM change and port-out attempts, complaints, and remediation). allowing employees who receive inbound customer communications to access CPNI prior to proper authentication of the customer is unnecessary and possibly “invites adversaries to exploit sympathetic, inattentive, or malicious customer service representatives for account access.” Princeton Comments at 9. While we anticipate that employees will comply with training requirements in good faith, “[t]here should be no opportunity for a representative to give a hint or a free pass” that will help bad actors commit fraud. Id. We therefore conclude that requiring wireless providers to establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI in the course of that customer interaction until after the customer has been properly authenticated—“a straightforward fix” Id. and standard data security best practice See, e.g., NCLC/EPIC Comments at 8-9 (explaining that minimizing access to and retention of customer data is a security best practice); Princeton Comments at 7-8 (explaining that access to CPNI prior to authorization “is an unnecessary exposure of customer data and a violation of the information security principle of minimizing system permissions”); Protecting Personal Information: A Guide for Business, Federal Trade Commission, https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business (last updated October 2016) (“Scale down access to data. Follow the ‘principle of least privilege.’ That means each employee should have access only to those resources needed to do their particular job.”). —will provide meaningful protection in helping to combat SIM swap fraud. CTIA asserts that applying this rule “represents a sea change in the Commission’s historical approach of prohibiting only disclosure of CPNI prior to authentication that was not clearly or adequately raised” in the NPRM. CTIA Nov. 8, 2023 Ex Parte Letter at 5. We disagree. The Commission specifically sought comment on whether it should “require carriers to modify customer record systems so that customer service representatives are unable to access CPNI until after the customer has been properly authenticated.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134, para. 38. We find that the benefits of this requirement outweigh any potential costs, and that any such costs will be mitigated by allowing telecommunications carriers flexibility to determine the particular safeguards and processes that will prevent employees who receive inbound customer communications from accessing CPNI in the course of that customer interaction until after a customer has been properly authenticated. Below, we seek comment on whether to require all telecommunications carriers to limit access to CPNI by employees who receive inbound customer communications until after the customer has been properly authenticated to minimize customer account fraud. See infra para. 202; see also SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14137, para. 46 (“We seek comment on whether any heightened authentication measures required (or prohibited) should apply for access to all CPNI, or only in cases where SIM change requests are being made.”); Letter from Steven F. Morris, Vice President & Deputy General Counsel, NCTA – The Internet & Television Association, and Josh Bercu, Vice President, Policy and Advocacy, USTelecom – The Broadband Association, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 21-341 et al., at 2 (filed Nov. 7, 2023) (requesting that the Commission solicit additional comment on whether to apply the limits on employee access to CPNI to wireline providers). 51. We decline to adopt other suggested employee safeguards that are overly prescriptive and for which the costs outweigh the benefits. In the SIM Swap and Port-Out Fraud Notice we sought comment on other ways to avoid employee malfeasance, such as requiring two employees to sign off on every SIM change. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134, para. 38. Although we anticipate that two-employee sign off could be an effective account protection mechanism and encourage wireless providers to use this procedure when appropriate, Verizon Comments at 3 (“Two-employee sign-off can be appropriate in circumstances when other authentication methods are unavailable, and Verizon trains select employees to assist customers this way.”). we are persuaded by AT&T’s argument that requiring this procedure for every SIM change would be a significant burden on legitimate SIM change requests given the uncertainty regarding whether it would prevent SIM swap fraud in most instances, AT&T Comments at 18 (“Such a step would be time-intensive, increasing the length of the SIM swap process, and would remain susceptible to social engineering and collusion. Also, it is unclear how the second employee would evaluate the transaction separately from the first employee, or what would happen if, as can occur, a second employee is not available. Last, the frequency (and thus sheer number) of legitimate SIM changes makes this suggestion infeasible in practice.”). and therefore decline to adopt it. We also reject several other requirements proposed in the record concerning customer service representatives who perform SIM changes. Specifically, a mandate that employees who perform SIM swaps be subject to enhanced background checks Robert Ross Comments at 7. may be financially and practically infeasible for large and small wireless providers alike, and could create an incentive for providers to reduce the number of employees capable of performing SIM changes, which would slow the processing of legitimate changes. Requiring employees to swipe a company badge when entering secure facilities is a good practice that we encourage wireless providers to adopt, Id. but the record does not address how this requirement would serve to prevent SIM swap fraud. The proposal to require employees to sign a restrictive confidentiality agreement is faulty for the same reason. Id. Moreover, a proposed restriction on use of performance incentives Id. is overly broad, could stifle competition, and might prevent customers from accessing special offers. Finally, we decline to adopt a proposal that wireless providers “be required to have heightened SIM swap customer care during [weekends and evenings].” Id. at 8 (“SIM swappers come out on weekends and evenings when they know that customer service at mobile carriers, banks and cryptocurrency exchanges are closed. Carriers must be required to have heightened SIM swap customer care during these times.”). We find that providers are best positioned to implement procedures tailored to the level of risk at any given time and should have the flexibility to adjust their practices to address the evolving nature of fraudulent activity. 7. Telecommunications Carriers’ Duty to Protect CPNI 52. While the record shows that some wireless providers have implemented CPNI security practices beyond those required by current rules, See, e.g., AT&T Comments at 4-7 (explaining that “AT&T employs a diverse set of measures to help thwart these bad actors – above and beyond existing regulatory requirements and those proposed in the NPRM,” including scanning an in-store customer’s ID with technology to verify its authenticity, utilizing data analytics to assess a customer’s risk for fraud, and conducting customer education); Better Identity Coalition at 4 (“Notably, two major mobile network operators (MNOs) already support FIDO authentication for their customers, meaning that it is widely used in customer-facing accounts today.”); T-Mobile Comments at 6 (“T-Mobile participates in efforts with other stakeholders to address verification issues and stay at the cutting edge of fraud risk management.”). SIM swap fraud persists. We are also concerned that some wireless providers may view the protection measures we adopt today as sufficient, rather than baseline, protections against SIM swap fraud. To ensure that wireless providers adapt their security practices on an ongoing basis to address evolving techniques used by bad actors to commit SIM swap fraud, See Verizon Comments at 1-2, 5; AT&T Comments at 2 & 11; CCA Comments at 4-5; CTIA Comments at 10-11; CTIA Reply at 15-16; Verizon Comments at 5; Somos Comments at 2. we take this opportunity to remind all telecommunications carriers of their statutory duty to “protect the confidentiality of proprietary information of, and relating to . . . customers,” 47 U.S.C. § 222(a). and their continuing preexisting legal obligation to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 CFR § 64.2010(a); see also NCLC/EPIC Comments at 9 (“Providers must take affirmative measures to discover and protect against fraudulent activity beyond what is specifically dictated by the Commission’s rules.”). Consistent with the Commission’s approach in the 2007 CPNI Order, 2007 CPNI Order, 22 FCC Rcd at 6945-46, paras. 33 & 35 (making clear that the adoption of rules designed to protect against pretexting “does not relieve carriers of their fundamental duty to remain vigilant in their protection of CPNI” and expressing the Commission’s “expectation that carriers will take affirmative measures to discover and protect against activity that is indicative of pretexting beyond what is required by the Commission’s current rules”). we conclude that these existing legal obligations necessarily obligate telecommunications carriers to proactively and regularly review and monitor their policies and procedures to ensure that they continue to be effective at addressing evolving fraud techniques against customer accounts and services—including SIM swap and port-out fraud See, e.g., AT&T Comments at 7 (“AT&T’s suite of tools is not static. AT&T continually assesses the effectiveness of its countermeasures and refines them over time as needed.”); T-Mobile Comments at 6 (“T-Mobile engages in ongoing, proactive threat evaluation, and information collection on threats and fraud for internal purposes. For example, T-Mobile gathers and acts on threat intelligence about cybercriminals potentially targeting wireless carriers and customers, conducts penetration tests of our systems, and engages stakeholders to understand emerging attack patterns. Further, as bad actors pivot to new methods and the account takeover fraud landscape changes, T-Mobile implements new strategies to address both known and potential fraud techniques.”). —and to conduct analyses of fraud incidents to determine how the fraud occurred and implement measures to prevent such tactics from being successful again in the future. See AT&T Comments at 7 (“AT&T conducts routine forensic analysis of unauthorized SIM swaps and port-outs to assess the root cause and evaluate whether new or different countermeasures are appropriate to enhance security. This assessment has resulted in process changes, implementation of new security procedures, and more to guard against threats.”); NCLC/EPIC Comments at 6 (arguing that upon being notified of fraud, carriers should establish “[a] detailed explanation of the fraud, along with an analysis of what measures the provider has taken to prevent a repeat of this breach”). B. Strengthening the Commission’s Number Porting Rules to Protect Consumers 53. Given the potential for consumer harm from port-out fraud, we conclude that the time is ripe to strengthen our number porting rules with baseline measures to increase the protections for customers against fraudulent port-outs. As with our new SIM change rules, the backbone of our new number porting rules is a requirement that wireless providers use secure methods to authenticate customers that are reasonably designed to confirm a customer’s identity prior to effectuating number ports, and we also require wireless providers to notify customers of port-out requests and allow customers to lock their accounts to prevent port-outs. See Appx. A (adding 47 CFR § 52.37). To future-proof our requirements, we give wireless providers flexibility in how to implement them. We anticipate that these new rules will work together to provide meaningful protection to customers while preserving the efficient and effective processing of port-out requests that promotes customer choice and competition. As with our new SIM change rules, we apply these new requirements exclusively to providers of CMRS, as defined in section 20.3 of Title 47 of the Code of Federal Regulations, See supra para. 25. including resellers of CMRS, as the record shows that port-out fraud is focused on mobile wireless customers. See, e.g., AT&T Comments at 1 (noting that “SIM swaps and port-outs are, in short, integral features of the competitive wireless marketplace”); CCA Comments at 1 (explaining that port-out fraud is a method malicious actors use to steal mobile accounts); CTIA Comments at 1-2 (discussing port-out fraud exclusively in the context of wireless services); NCLC/EPIC Comments at 2 (noting that “American cell phone users . . . are extremely vulnerable to having their telephone numbers hijacked by fraudsters through the process of SIM swapping and port-out fraud”); NCTA Comments at 1 (explaining that with port-out fraud, a bad actor “ports the customer’s mobile phone number to the account with the new carrier controlled by the bad actor”). We likewise require wireless providers to implement these rules with respect to customers of both pre-paid and postpaid services. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14141, para. 55. 1. Customer Authentication Requirements 54. We revise our porting rules to require that wireless providers use secure methods to authenticate customers that are reasonably designed to confirm a customer’s identity before completing a port-out request, See id. at 14139-41, paras. 53-56 (seeking comment on whether and how to authenticate customers for port-out requests). except to the extent otherwise required by the Safe Connections Act or the Commission’s rules implementing that statute. The Safe Connections Act prohibits wireless providers from making a line separation contingent on a prohibition or limitation on number portability, provided such portability is technically feasible. 47 U.S.C. § 345(b)(2)(D). The Commission’s rules adopted today implementing the Safe Connections Act require covered providers to attempt to authenticate, using multiple authentication methods if necessary, that a survivor requesting a line separation is a user of a specific line or lines. See Safe Connections Order, FCC 23-96, at para. 52. Covered providers must use methods that are reasonably designed to confirm the survivor is actually a user of the specified line(s) on the account when the survivor is not the primary account holder or a designated user. See id. To the extent this requirement differs from other authentication requirements, including those in 47 CFR § 64.2010, the line separation authentication requirements the Commission adopts to implement 47 U.S.C. § 345 serve as an exception to those other requirements. See id. Consistent with our new SIM change authentication rules, See supra para. 27. we require wireless providers to regularly, but not less than annually, review and, as necessary, update their customer authentication methods to ensure those methods continue to be secure. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14132, para. 27 (seeking comment on whether we should adopt a flexible standard requiring heightened authentication measures for SIM swap requests). 55. As in the SIM change context, we are persuaded by commenters that a general security authentication standard will best allow wireless providers the flexibility to respond to advances in the technology and tactics used by bad actors, providing the greatest protection for customers, and enabling providers to implement authentication methods in ways that work best for the particular services they offer. See supra para. 29 (finding that in the SIM change context, readily available biographical information, account information, recent payment information, and call detail information do not constitute secure methods of authentication); 47 CFR § 64.2010(b). The record reflects that the benefits of allowing wireless providers to determine the best method for authenticating customers outweigh speculative concerns that absent standardized authentication methods, nationwide providers could arbitrarily determine which authentication methods or controls are sufficient before effectuating ports. Compare T-Mobile Comments at 12-13 (stating that “flexibility to offer various secure methods of customer authentication . . . will promote innovation and improved security for customers”); CTIA Reply at 15-16 (“Flexibility is a critical attribute in any authentication standard: it will help prevent authentication practices from lagging behind bad actor tactics, it will facilitate continued improvements in authentication practices, and it will help providers be able to continue to meet customer needs.”); CCA Comments at 5 (explaining that flexibility will allow carriers to adopt future authentication technologies that “prove[] to be more effective or secure than today’s technologies”); Princeton Comments at 4 (“We strongly agree that the Commission’s customer authentication rules should not be technically prescriptive. Authentication methods and security practices continue to evolve, and carriers should be welcome—and encouraged—to adopt innovative safeguards.”); Verizon Comments at 10-11 (“[P]roviders should retain the flexibility they enjoy today to nimbly adopt new authentication safeguards to stay ahead of bad actors.”); with RWA Comments at 12-13 (raising concerns that without a “set of uniform authentication standards” nationwide carriers could “arbitrarily determine which authentication methods or controls are sufficient” thereby potentially increasing costs, creating “barriers for small and rural providers,” or allowing nationwide carriers to “refuse ports from smaller providers deemed ‘unsecure’”). We note also that under the Act and our existing rules, all carriers are required to complete legitimate ports, see supra para. 14, and that our new customer authentication requirements do not give carriers the authority to make determinations about the sufficiency of another carrier’s authentication methods—that responsibility will belong to the Commission, and we will address any concerns regarding the adequacy of authentication methods, as well as inappropriate port denials, as needed. We also agree with CCA that our approach will better serve small wireless providers by permitting them to “use technologies that are reasonably available and have choice in the approach to take in authenticating their customers.” CCA Comments at 5 (“The Commission should also keep in mind the constraints with which many small carriers operate against in adopting security measures. Smaller carriers may have more limited app or e-commerce platforms, and may not currently have the capability, for example, to generate a one-time port out PIN via an app on a 24/7/365 basis.”); but see ID.me Comments at 6-7 (describing its 530 commercial partners, many of which are “smaller businesses with smaller use cases” and asserting that “[c]omplying with NIST guidelines does not pose any difficulties for smaller providers when the integration is enabled by a turnkey, SaaS, credential service provider operating with open protocols”). Additionally, as we concluded with regard to authentication for SIM changes, this flexible approach should resolve concerns about authenticating customers of pre-paid accounts. See CTIA Comments at 14-15 (noting that “fighting fraud in the pre-paid context is different than in the post-paid context” and that “providers ordinarily do not collect or have detailed identity information for pre-paid customers”); T-Mobile Comments at 8 (stating that “[p]repaid service generally does not require identity validation for account set-up”); CCA Comments at 6 (noting that pre-paid customers “often do not provide an accurate address or other identifying information, making it difficult for carriers to authenticate an account request”); CTIA Comments at 19-20 (noting that a flexible approach will better serve customers, including pre-paid customers). 56. We are mindful of the potential effect on competition of our new customer authentication requirements, and thus, we require that the secure authentication methods wireless providers adopt accommodate the needs of the broad spectrum of customers they may serve, including those who do not have data plans or data-enabled devices, have varying degrees of technological literacy, or have disabilities or accommodation needs. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14139-41, paras. 53-56 (seeking comment on customer authentication requirements); NCLC/EPIC Comments at 8 (recognizing that “online authentication is not a viable option for all consumers, especially senior consumers who may not always be technologically savvy” or “[l]ow-income households and households of color [that] are also likely to have limited bandwidth available to use on their mobile phones, making online authentication more difficult for them”); CCA Comments at 7 (“CCA members report experience with potential incoming customers who are unable to find the port PIN provided by their current provider and experience significant frustration” and “especially those who are older or less familiar with technology, may be deterred from selecting a provider who may offer a better service”); Verizon Comments at 6 (noting that in-store customers may be less tech savvy and so flexibility with authentication is necessary). To illustrate, we observe that wireless providers may find requiring a one-time port-out PIN obtained through a provider app is an effective means for authenticating customers with a data-enabled smart phone, but that authentication measure may not be a feasible option for customers without data plans or smartphones, or for those customers who are unable to navigate the technology. As such, this requirement may necessitate the use of multiple authentication methods, such as in-person authentication using government-issued identification, over-the-phone authentication, or alternative methods for individuals with disabilities. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14131, 14146, paras. 25-26 & 73. See 47 CFR §§ 6.3(a)(1)(i) & 14.21(b)(1)(i) (requiring carriers to “[p]rovide at least one mode that does not require user vision” to operate a phone or use an account); 47 CFR §§ 6.3(a)(1)(iv) & 14.21(b)(1)(iv) (requiring carriers to “[p]rovide at least one mode that does not require user auditory perception” to operate a phone or use an account); 47 CFR §§ 6.3(a)(1)(ix) & 14.21(b)(1)(ix) (requiring carriers to “[p]rovide at least one mode that does not require user speech” to operate a phone or use an account). 57. We do not anticipate that using secure methods to authenticate a customer requesting a port-out will be burdensome to wireless providers or unreasonably delay the processing of port-out requests. The record reflects that many wireless providers have already developed and implemented some form of customer authentication for port-out requests. See, e.g., AT&T Comments at 6-7 (describing its routine use of “a one-time PIN delivered via SMS message or an outbound voice call to a postpaid customer’s device for enhanced customer validation,” and its “Number Transfer PIN process to validate postpaid port-out transactions”); CCA Comments at 3-4 (describing U.S. Cellular’s assigning of a PIN code to each customer that is used for customer authentication); Better Identity Coalition Comments at 4 (noting that “two major mobile network operators already support FIDO authentication for their customers”); NCTA Comments at 4-5 (describing authentication measures some wireless providers already use, including account PINs); T-Mobile Comments at 4 (“T-Mobile offers various customer authentication options, which may vary based on customer, account, and device characteristics. T-Mobile customers set up an individual 6-to-15 digit PIN that can be used to verify the customer’s identity when calling customer service. . . . T-Mobile customers must provide their PIN when requesting a port-out associated with that account. Most customers that choose to create a T-Mobile ID for use on My.T-Mobile.com or with the My T-Mobile app have the option of setting up multi-factor authentication (‘MFA’) using methods including security questions, SMS, or device-based biometrics such as Face ID or fingerprint recognition on devices that support such features. T-Mobile uses MFA, consistent with the FCC’s rules, for validating customer identity and verifying the legitimacy of account changes.”); Verizon Comments at 8-9 (describing current authentication measures, including a transaction-specific “Number Transfer PIN” and notifying customers of port requests via text message and email). The approach we adopt today will allow wireless providers to continue using or building upon what is already working in the industry, helping to streamline implementation and costs. We expect wireless providers to design and implement customer authentication processes for port-out requests that minimize porting delays and maintain the industry agreed-upon two-and-a-half hour porting interval for wireless ports. See Wireless Number Portability Order, 18 FCC Rcd at 20979, para. 26; North American Numbering Council Wireless Number Portability Subcommittee Report on Wireless Number Portability Technical, Operational, and Implementation Requirements Phase II, CC Docket No. 95-116 at 13 (filed Sept. 26, 2000). 2. Customer Notification of Port-Out Requests 58. We also revise our numbering rules to require wireless providers to provide immediate notification to their customers whenever a port-out request is made, sent in accordance with customer preferences, if indicated, For example, this would include delivering a notification in the language of the customer’s choosing, if the wireless provider permits communications preferences in other languages and the customer has previously indicated such choice. and specify that the notification must be sent before a provider effectuates a port, except to the extent otherwise required by the Safe Connections Act of 2022 (47 U.S.C. § 345) or the Commission’s rules implementing that Act. Appx. A (47 CFR § 52.37(c)); see also Safe Connections Order, FCC 23-96, at para. 97 (“To the extent that a survivor initiates a port-out request with a new service provider for a line that is the subject of an in-process line separation request, we prohibit the current service provider from notifying the account holder of the request to port-out that number until after the line separation request has been completed.”); id. at Appx. A (new 47 CFR § 64.6402(i) (a covered provider shall not notify a primary account holder of a request by a survivor to port-out a number that is the subject of a line separation request)). We require that wireless providers notify their customers “immediately” of a porting request to not only ensure that porting requests are processed efficiently, but also help alert customers quickly to potential fraud to allow them to mitigate damages and inconvenience resulting from fraudulent or inadvertent port-outs. See Princeton Comments at 7 (noting that “notice is essential, so that a customer can take prompt action to protect their telecommunications account, their other accounts, and their devices”); Prove Comments at 6 (supporting timely notice for high risk events such as port-out requests so customers can “be afforded the opportunity to prevent account takeovers before they are completed”). The notification requirement will provide a uniform safety measure for all port-out requests across the mobile wireless industry, which we anticipate will reduce the instances of port-out fraud. For the same reasons we raised in the SIM change context, we decline to impose a blanket yes/no verification requirement for authentication attempts. See supra para. 40; SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14139, para. 51. 59. As with SIM change notifications, we decline to prescribe particular methods for providing port-out notifications or particular content and wording for these notifications, but do require that the notification methods be reasonably designed to reach the customer associated with the account and that the content and wording use clear and concise language that provides sufficient information to effectively inform a customer that a port-out request involving the customer’s number was made. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14141-42, paras. 57 (seeking comment on port-out notification requirements). We recognize that wireless providers are in the best position to determine which notification methods and what content and wording will be most effective at notifying customers of port-out requests and potential fraud under the particular circumstances, including the real-world security needs of the transaction, and the technical capabilities, accessibility needs, or broadband access of individual customers. As such, we encourage wireless providers to leverage existing notification methods that are reasonably designed to reach the customer associated with the account, Such measures may include, but are not limited to, live or automated telephone calls, text messages, emails, or push notification through wireless provider software applications. Verizon Comments at 6 (“Providers also should have discretion to use a push notification together with supplemental verification methods to stop a high risk transaction.”). and to adopt new notification methods as they are developed to stay responsive to evolving fraud schemes. 60. On balance, we find that benefits accrued from early warning to customers of potential fraudulent account activity outweigh any potential burdens imposed on wireless providers by this notification requirement. First, we find that customer notification of port-out requests is unlikely to prevent or unreasonably delay customer porting requests, as we require “immediate” notification and do not require a delay or customer verification or acknowledgement of that notification before continuing the porting-out process. Second, because wireless providers are already familiar with notifying customers regarding changes to their accounts, See AT&T Comments at 6 (explaining that for transactions meeting a certain threshold of AT&T’s “risk model,” it will send one-way SMS notifications of a SIM change request, and for transactions meeting a higher risk threshold, it will require customers confirm the SIM change request via an SMS notification); T-Mobile Comments at 4 (noting that as part of its efforts to “help customers secure their accounts, T-Mobile notifies customers of account changes and requests”); Verizon Comments at 6 (“Verizon already employs (or is on track to employ) many of the methods identified in the NPRM, such as notifying customers of high-risk SIM change authentication attempts, failed or otherwise, and of other account changes.”); CTIA Comments at 18 (explaining that “there are many instances where notifications to consumers are appropriate and providers can and do make reasonable efforts to provide them”); 47 CFR § 64.2010(f); 2007 CPNI Order, 22 FCC Rcd at 6942, para. 24. and in many cases likely already notify customers of port-out requests, See, e.g., CCA Comments at 3-4 (describing the current procedures that T-Mobile, U.S. Cellular, and GCI use to notify customers of a change to their account or port-out request, and that other members are “similarly adopting heightened security measures”); see also Wireless Number Portability Order, 18 FCC Rcd at 10975-76, paras. 14-16. we anticipate that wireless providers will face low burdens in implementing today’s customer notification requirement for port-out requests. We also expect that these existing notification systems can be leveraged to help minimize any potential costs associated with notifying customers of port-out requests. Third, we disagree with AT&T’s assertion that customer notification of port-out requests will result in notice fatigue, undermining its efficacy. AT&T Comments at 15 (noting that mandating notice when it is not necessary would lead to frequent notifications that would leave customers “numb or immune to them or tire of [them] and consciously choose to ignore them, thus undermining all value they might otherwise have when the threat of fraud is real”); see also CTIA Comments at 18 (asserting that notifications can be appropriate in “many instances” but that notifications “must be weighed against other goals, and in general, avoid unnecessary friction in the user experience or other unintended consequences, such as notice fatigue”). Nothing in the record supports the notion that customers request port-outs at such a rate that, upon the adoption of this rule, wireless providers will be forced to inundate their customers with the required notifications. For the same reasons, we decline CTIA’s request that customer notification of port-out requests be “limited to situations where the carrier determines that there is an increased risk of fraud” on the basis that the notification requirements “threaten to cause customer confusion, concern, and fatigue,” and could increase costs for carriers because such notifications increase customer calls. CTIA Nov. 8, 2023 Ex Parte Letter at 8. As such, we conclude that the significant benefits of alerting customers to potential fraudulent account activity outweighs any speculative negative impacts on wireless providers or customers. 3. Account Locks for Port-Outs 61. For the same reasons explained above with respect to SIM change requests, See supra section III.A.4. we require wireless providers to offer their customers, at no cost, the ability to lock or freeze their accounts to stop port-outs. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14141-42, para. 57. We anticipate that this requirement will provide customers with more consistent and meaningful protection against fraudulent port-outs. The record reflects that account locks can be powerful tools against fraudulent port-outs, particularly for customers that are at high-risk of being a target of the practice. See, e.g., South Carolina Department of Consumer Affairs Comments at 2 (“Carriers should also offer customers the option to lock port requests, similar to an account freeze, in order to prohibit unauthorized requests.”); DC Stone Comments (Express) at 1 (arguing that account locks are “an effective tool for concerned or savvy consumers to prevent unauthorized account activity and especially fraud, just as with credit reporting agencies”); NCLC/EPIC Comments at 11 (explaining that “the ability to freeze one’s own account is an excellent way for an individual consumer to guard against fraud”). As in the SIM swap context, See supra section III.A.4. we conclude that it should be offered to customers of both pre-paid and post-paid services, See, e.g., DC Stone Comments (Express) at 1 (arguing that account locks must be available for any customer account, including pre-paid accounts); cf. Verizon Comments at 4 (“A service provider will have limited information about the prepaid customer, and in many cases, about the customer’s device. Even so, Verizon only allows authentication using reliable, available methods, and has begun integrating systems used for postpaid customers to further align and improve our methods to prevent . . . fraudulent activity.”). and that this requirement is feasible for both categories of customers despite assertions to the contrary. See, e.g., CTIA Comments at 14-15 (asserting that account locks “may negatively impact pre-paid customers whose devices are lost or stolen, as the pre-paid market offers consumers the option to purchase service with less identifiable information than post-paid, and thus information that may be necessary to deactivate a freeze may not have been provided when an account is initialized. Thus this may limit a consumer’s ability to remove a freeze and validate an account where the consumer does not have a working device”); AT&T Comments at 17 (noting that “an account lock would likely create more of a burden than a benefit for prepaid customers and their carriers” given the discrepancy in information provided, but supporting an optional account freeze). Because the account lock is an optional security measure for customers, carriers can, if necessary, require customers to provide information to use for authentication purposes to activate and deactivate the account lock. 62. Like the other rules we adopt today, we give wireless providers flexibility on how to comply with the measure. See AT&T Comments at 2-3, 12 (arguing, generally, that the Commission should not “[prescribe] specific methods wireless carriers must employ to combat fraudulent SIM swaps and port-outs”); CTIA Reply at 26-27 (“While the Commission’s rules should allow for port freeze options, the rules should also be flexibly designed to recognize that freezes are not always appropriate.”). We decline CTIA’s request that the Commission find that mandatory port-out PINs satisfy this requirement. CTIA Nov. 8, 2023 Ex Parte Letter at 5-6. We discuss the benefits and drawbacks of port-out PINs as a method of customer authentication, above. See supra Section III.B.1. We disagree that a mandatory port-out PIN has the same effect as an optional account lock; while the two protections serve complementary functions, one is focused on customer authentication for a specific one-time request, and the other functions as a customer directed general account security feature. In particular, the record does not evince a need for us to prescribe a method or methods for customers to unlock or unfreeze their accounts or impose a waiting period before an unlocked account can be transferred, and as such, we decline to do so at this time. Although we do not prescribe the exact form of the account lock mechanism wireless providers must adopt, the process to activate and deactivate an account lock must not be unduly burdensome for customers such that it effectively inhibits them from implementing their choice. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14141-42, para. 57 (seeking comment on port-out lock requirements). We stress that when activated, wireless providers must not fulfill port-out requests until the customer deactivates the lock, Id. except to the extent otherwise required by the Safe Connections Act or the Commission’s rules implementing that statute. See 47 U.S.C. § 345(b)(2)(D) (prohibiting carriers from making valid line separation requests from survivors of domestic violence contingent on any requirement or limitation, including restrictions on number portability); Safe Connections Order, FCC 23-96, at para. 76 and Appx. A (new 47 CFR § 64.6402(l)) (requiring a covered provider to effectuate a legitimate line separation request, and any associated number port and SIM change requests, regardless of whether an account lock is activated on the account); id. at Appx. A (new 47 CFR § 64.6402(k)) (requiring that as soon as feasible after receiving a legitimate line separation request from a survivor, a covered provider shall lock the account affected by the line separation request to prevent all SIM changes, number ports, and line cancellations other than those requested as part of the line separation request pursuant to 47 U.S.C. § 345 and the Commission’s rules until the request is processed or denied); id. at Appx. A (new 47 CFR § 64.6404(a)). 63. Consistent with this flexible approach, and as we did with the SIM change rules, we permit wireless providers to proactively initiate a port-out lock on a customers’ account when they believe a customer may be at high risk of fraud, so long as providers promptly provide clear notifications to those customers that a lock has been activated with instructions on how the customers can deactivate account locks if they choose and promptly deactivates the account lock upon receipt of the customer’s legitimate request to do so. See supra para. 43; SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14141, para. 57 (seeking comment on port-out lock requirements). We also caution wireless providers that any proactive initiation of a port-out lock must be limited in duration and extend only so long as the high risk of fraud is evident to the provider.  In establishing this limitation, we intend to prohibit wireless provider abuse of port-out locks to avoid, among other outcomes, preventing the customer from terminating service with the provider or moving to another competing provider. 64. As with account locks for SIM changes, See supra para. 42. given that several wireless providers already voluntarily offer account locks to all their customers, See, e.g., CCA Comments at 3-4 (describing T-Mobile’s free service called “Account Takeover Protection” which “blocks unauthorized users from porting numbers and allows only the billing responsible party to turn the feature off”); CTIA Comments at 3-4 (noting that “examples of the variety of tactics used to combat SIM swapping and port-out fraud include . . . the ability to lock or freeze wireless accounts”); CTIA Reply at 26-27 (“The record demonstrates that absent a requirement, many providers already offer account freeze options to their customers.”); T-Mobile Comments at 4 & 11 (“Qualifying customers may wish to enable safeguards such as setting up account takeover protection—a free feature that prohibits unauthorized users from porting the customer’s phone line to another wireless carrier.”); NCTA Comments at 4-5 (“Wireless providers already engage in many [measures to prevent SIM swap and port-out fraud] today, including . . . providing the ability to lock or freeze wireless accounts.”); see also Verizon, Additional Support Information, https://www.verizon.com/support/port-out-faqs/#setup-freeze (last visited Oct. 18, 2022) (offering a “Number Lock” service that is a customer-managed porting freeze option accessible by dialing 611 or through the MyVerizon app); T-Mobile, Account Takeover Protection by T-Mobile, https://www.t-mobile.com/support/plans-features/account-takeover-protection (last visited Oct. 18, 2023) (providing information on its Account Takeover Protection feature, which “adds additional security to your account by blocking unauthorized users from transferring your lines to another wireless carrier”). and coupled with the flexible approach we adopt, we are unpersuaded by AT&T’s claim that implementing account lock offerings will be unduly costly and time-consuming for wireless providers. AT&T Comments at 17; see also CTIA Nov. 8, 2023 Ex Parte Letter at 5 (asserting that implementing this requirement “is likely to be costly for providers, who will have to offer account lock options to all customers, across all covered systems”). To the extent there are costs associated with the requirement, we find that they are outweighed by the benefits. 4. Wireless Port Validation Fields 65. After review of the record, we decline to codify the wireless port validation fields. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14142, para. 58. We also decline to require wireless providers to implement a customer-initiated passcode field for all wireless-to-wireless number porting requests. Id. at 14142, para. 60. Currently, the mobile wireless industry uses four data fields of customer-provided information to validate a wireless-to-wireless porting request: telephone number, account number, five-digit ZIP code, and passcode (if applicable). See 2007 LNP Four Fields Declaratory Ruling, 22 FCC Rcd at 19557, para. 48. In the SIM Swap and Port-Out Fraud Notice, we sought comment on whether we should “codify the types of information carriers must use to validate simple wireless-to-wireless port requests.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14142, para. 58. While some commenters did not oppose codification of some of the customer-provided wireless data fields, they preferred that the Commission continue to give wireless providers the flexibility to adjust to business and customer needs. Compare Verizon Comments at 10 (supporting codification of “aspects” of the four data fields, noting that “ZIP code is of limited use for verification given its wide availability” and its use to complete porting requests “has resulted in unnecessary confusion”) with CCA Comments at 6-7 (noting that data fields should not be mandatory as flexibility allows carriers to respond to “security needs and capabilities”); AT&T Comments at 15 & n.15 (“Proposed rule § 52.37(a) – (c), addressing data fields to validate a port-out request, should retain the flexibility to allow carriers to continue using temporary transaction-specific PINs assigned by the carrier in lieu of account-level passcodes assigned by customers, as the temporary PIN offers superior protection”); CTIA Comments at 19 (stating that the Commission should “not require the use of a passcode or foreclose the option for providers to use a porting-specific, one-time passcodes”); T-Mobile Comments at 10-11 (encouraging the Commission to not require one-time PINs for validating porting requests, as “secure methods of authentication and carrier practices may evolve over time”). We are persuaded by the record that separate codification of the customer-provided data fields for validation of wireless-to-wireless ports is not necessary at this time, as we have been provided no evidence that wireless providers are not complying with the validation obligations imposed in the Four Fields Declaratory Ruling. 2007 LNP Four Fields Declaratory Ruling, 22 FCC Rcd at 19553-58, paras. 42-49. As such, we decline to separately codify the customer-provided wireless-to-wireless port validation fields at this time. C. Additional Consumer Protection Measures 66. In the SIM Swap and Port-Out Fraud Notice, we sought comment on whether we should adopt additional measures to address the problems associated with SIM swap and port-out fraud. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14144-46, paras. 68-73. As discussed below, we require that wireless providers inform customers of any account protection mechanisms the provider offers, ensure that customer service representatives are trained to recognize bad actors’ attempts at these fraudulent schemes, and deliver timely resolution of SIM swap and port-out fraud when it does occur. We decline, however, to establish a working group to further study and develop solutions to address the harms of SIM swap and port-out fraud. We also decline to adopt other proposals in the record regarding wireless provider liability and dispute resolution related to SIM swap and port-out fraud. 67. Customer Notice of Account Protection Measures. Many of the account protection measures wireless providers offer and that we require wireless providers to adopt today are designed to empower customers to take steps to protect themselves from SIM swap and port-out fraud if they choose, but this empowerment will be stifled if customers are not effectively made aware of the measures that are available. Accordingly, we require wireless providers to provide notice, using clear and concise language, of any account protection measures the provider offers, including the measures we adopt in this Report and Order, and make this notice easily accessible via provider websites and applications. See id. at 14135, para. 39 (seeking comment on a notice requirement and expressing our belief that such notices should be brief, use easy-to-understand language, and be delivered in a manner that is least burdensome to customers). To provide greater clarity on what we require, the language we adopt slightly deviates from what we sought comment on in the SIM Swap and Port-Out Fraud Notice. We decline to specify the exact format or content of the required notice, as we agree with CCA that wireless providers are well-positioned to determine exactly how best to communicate information about account protection measures to their customers. See CCA Comments at 4 (arguing the Commission should allow “carriers to continue to communicate with their customers in the manner that they have found to be most effective”). The record also demonstrates that some wireless providers have already developed content to educate customers about some account protection measures. AT&T Comments at 7 (“AT&T’s website provides information about SIM swap scams and misuse of the porting process and offers guidance about how customers can protect themselves against such fraud.”); T-Mobile Comments at 5-6 (“T-Mobile publishes Safety Tips to educate subscribers on how to protect themselves online and directs customers to additional resources on identity theft and online safety from the FTC, CTIA, and others. T-Mobile’s online resources also inform the customer of what to do if they believe someone has made unauthorized charges to their account.”) (footnote omitted); CTIA Comments at 4 (stating that “[it] provides resources for consumers on steps that they can take to protect their wireless accounts”). 68. We decline to require wireless providers to deliver an annual notice to customers regarding the availability of the account protection mechanisms they offer. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14135, para. 39. The record does not exhibit support for this requirement and we have no basis for concluding that it would be meaningfully more beneficial for customers than our requirement that wireless providers make notice about the availability of account protection measures easily accessible through provider websites and applications. We therefore decline to adopt an annual notice requirement. 69. Employee Training. We require wireless providers to develop and implement training for employees on how to identify, investigate, prevent, and remediate SIM swap and port-out fraud. See id. at 14134-35 & 14144-45, paras. 38 & 69 (seeking comment on training requirements). We find that adopting this employee training requirement will serve as a “first line of defense” against these damaging and evolving practices by preparing employees to defend against such fraud and preventing them from inadvertently or intentionally assisting bad actors in fraudulent schemes. See, e.g., NCLC/EPIC Comments at ii, 8-9 (asserting that the Commission should ensure that “providers prohibit their employees from . . . prompting leading questions or other mechanisms to enable fraudulent swaps”); id. at 6 (explaining that employees who assist victims “should be trained to provide responsive assistance in a timely manner”); Robert Ross Comments at 7-8 (arguing that any employee that a provider authorizes to perform a SIM swap should, amongst other precautions, “go through a higher level of training and repeat training in a program that is custom developed for high-risk transactions”); OPUS Research Comments at 1 (explaining that “the measures to secure SIM Swap and Port-Out employed by wireless service providers are . . . reliant on well-trained staff at retail stores and customer contact centers” and observing that “fraudsters employ ‘human engineering’ techniques to enlist support from sales or customer support personnel through multiple calls into a contact center or visits that too often result in successful identity theft in the form of SIM swaps or porting out of a number”); ATL Comments at 1 (asserting that “implementing additional training for all customer service representatives initiating the port outs would provide consistency in security protocols”). 70. We agree with Verizon that “customer care and employee training programs are critical for preventing and identifying unauthorized and high-risk SIM changes for postpaid customers,” Verizon Comments at 2. and we find that all customers will benefit from employee training. The record reflects the industry’s recognition of the importance of employee training; the country’s three largest wireless providers—Verizon, T-Mobile, and AT&T—have already implemented some training measures for customer service representatives to identify, prevent, and remediate fraud. See Verizon Comments at 3 (“Verizon also trains all customer care employees to identify and prevent unauthorized SIM change attempts through the use of multiple authentication protocols. . . . Customer care employees identifying potentially fraudulent SIM changes refer those reports to dedicated investigative teams.”); T-Mobile Comments at 5 (“T-Mobile trains its employees on how to recognize fraud and account takeover attempts and how to respond if fraud occurs. Customer service representatives complete ongoing interactive training curricula on fraud and response. Moreover, T-Mobile provides resources on combatting fraud to employees. These resources are provided and maintained so that employees are knowledgeable about steps and guidelines for recognizing attack attempts and can properly respond to customer reports of fraud.”); CTIA Comments at 3-4 (“While each provider’s practices are different and many are not publicly visible so as to shield provider tactics from criminals, examples of the variety of tactics used to combat SIM swapping and port-out fraud include: . . . [t]raining employees to identify signs of a fraudulent SIM swap request and uses.”); CTIA Reply at 7-8 (“AT&T reports that its customer service agents complete mandatory training, including on fraud prevention, authentication, social engineering, protection of CPNI, and account verification.”). The record also shows, however, that some wireless providers’ current practices for customer service representative training may be lacking, as there are reported instances of wireless provider employees failing to identify, prevent, or quickly remediate SIM swap and port-out fraud. See, e.g., Erik Faraldo Comments (Express) at 1 (reporting that he attempted to enable a port validation feature offered by his provider to prevent port-out fraud but eventually abandoned the effort due to difficulty reaching customer support, lack of knowledge about the feature by customer support representatives, and long wait times); Robert Ross Comments at 1 (detailing that it only took hackers minutes to complete a fraudulent SIM swap and that remediating the fraud took many months); Lee et al. at 7 (discussing how customer service representatives for some carriers processed SIM swaps without proper authentication under existing mechanisms). We have previously determined that customer service training requirements play an important role in safeguarding the proper use of CPNI and have required telecommunications carriers to train their personnel on when they are and are not authorized to use CPNI. See 47 CFR § 2009(b); CPNI Reconsideration Order, 14 FCC Rcd at 14476-77, para. 130. We similarly conclude that the employee training requirement we adopt today is necessary to ensure customer service representatives are prepared to identify, prevent, and remediate fraudulent SIM change and port-out activity. 71. In applying this requirement, we give wireless providers flexibility on designing their training programs. See, e.g., CCA Comments at 4 (“Should the Commission determine that additional rules are necessary to prevent SIM swap and port out fraud, it should ensure that such rules are sufficiently flexible to account for evolving technologies.”); CTIA Reply at 27 (“[T]here is no one-size-fits-all solution to [protecting customer accounts] and that the measures necessary to protect different customers and different types of services vary greatly.”). But we do require that all employees who may communicate with customers regarding SIM changes and number ports must be trained on how to recognize potentially fraudulent requests, how to recognize when a customer may be the victim of fraud, and how to direct potential victims and individuals making potentially fraudulent requests to employees specifically trained to handle such incidents. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14134-35, 14144-45, paras. 38, 69 (seeking comment on training requirements); Verizon Comments at 3 (explaining that customer care employees identifying potentially fraudulent SIM changes refer those reports to dedicated investigative teams, and observing that there is a toll-free number for customers to contact or obtain assistance from Verizon in the event of an unauthorized SIM change). Given that (1) some wireless providers already train employees on how to address fraud, See supra n.260. (2) our new training requirement builds upon our existing CPNI training rule, 47 CFR § 64.2009(b) (“Telecommunications carriers must train their personnel as to when they are and are not authorized to use CPNI, and carriers must have an express disciplinary process in place.”); see also CPNI Order, 13 FCC Rcd at 8198, para. 198. and (3) we are providing wireless providers with flexibility on how to design their training programs, we do not anticipate that imposing this training requirement will be overly costly for wireless providers. 72. Requirements to Remedy SIM Swap and Port-Out Fraud. We are concerned that in some cases, “consumers who have been the victims of SIM swaps or port-out fraud have had difficulties obtaining assistance from the carriers” when they report it. NCLC/EPIC Comments at 5. Accordingly, we require wireless providers to maintain a clearly disclosed, transparent, and easy-to-use process for customers to report SIM swap and port-out fraud, promptly investigate and take reasonable steps within their control to remediate such fraud, and, upon request, promptly provide customers with documentation of SIM swap and port-out fraud involving their accounts. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14145, para. 69. These measures must be provided to victims of SIM swap and port out fraud at no cost. We anticipate that, in combination, these requirements will serve to minimize the harms that victims experience as a result of SIM swap and port-out fraud. 73. Our requirement that wireless providers maintain a clearly disclosed, transparent, and easy-to-use process for customers to report SIM swap and port-out fraud rests on our concern that customers currently struggle to report SIM swap and port-out fraud to their wireless providers. Princeton Comments at 11-12 (“We recommend that the Commission require carriers to have a clearly disclosed process for customers to quickly and easily report account compromise.”); NCLC/EPIC Comments at ii (asserting that the Commission should “[r]equire carriers to offer a redress program that . . . is fully accessible and transparent to all customers”); see also SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14144-45, para. 69. When customers are unable to find information about how to report such fraud or use existing customer service avenues to do so, it not only frustrates these customers, it prevents initiation of steps to investigate and remediate the fraud, which increases the risk that fraudsters will be able to use a victim’s SIM or phone number to accomplish further fraud. We anticipate that clear methods for reporting SIM swap and port-out fraud that are transparent to customers will “ensure that customers have easy access to information they need to report SIM swap, port-out, or other fraud.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14145, para. 69. We decline to specify the exact means wireless providers must put in place for customers to report SIM swap and port-out fraud, but we stress that the process must be a clearly disclosed, transparent, and easy-to-use process for customers to notify providers. 74. We require wireless providers to establish procedures to promptly investigate and take reasonable steps within their control to remediate SIM swap and port-out fraud because the record demonstrates that even when victims of SIM swap and port-out fraud are successful in reporting such fraud to their providers, they have difficulty obtaining assistance from their providers to remediate the fraud. See Princeton Comments at 11-12 (“There are countless anecdotes of SIM swap and port-out victims who struggle to regain control of their telephone number.”); NCLC/EPIC Comments at 5 (“[M]any consumers who have been the victims of SIM swaps or port-out fraud have had difficulties obtaining assistance from the carriers.”); Erik Faraldo Comments (Express) (describing one customer’s challenges with seeking remediation of SIM swap fraud). This is consequential because “[i]dentity theft, including SIM swap fraud, can cause intense anxiety for victims and must be addressed in a timely manner to prevent financial losses and exposure of personal information.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14145, para. 69. Thus, we conclude that “it should be easy for a customer to get access to appropriate carrier resources that can help mitigate the significant harms caused by SIM swap or port-out fraud.” Id. See also Kyle Ratcliff Comments (Express) (urging that the Commission “mandate carriers adopt an easy-to-use and standardized remediation process for those customers who are affected by this type of identity theft. Given the fact that so much of our day to day lives are currently managed by our smartphones, the last thing a consumer should have to do if they have been victimized is negotiate an increasingly Byzantine system of bureaucracy in order to get their rightful account ownership restored.”). Although we do not specify the procedures that wireless providers must adopt, See Princeton Comments at 11-12 (“We do not take a position on what the nature of that investigation should be or how quickly the carrier should complete it, since the details will vary by account compromise.”). we agree with commenters that investigations must be instigated and resolved expeditiously. See Princeton Comments at 11-12 (“If a carrier receives a credible report of compromise, it should expeditiously investigate without unreasonable delay and, if the report is accurate, restore access to the customer’s account.”); NCLC/EPIC Comments at 6 (asserting the reports of SIM swap and port-our fraud “should trigger . . . [i]mmediate assistance to the customer both to stop further losses [and an] internal investigation by the customer’s provider to determine how the fraud was effectuated”). 75. To ensure victims of SIM swap and port-out fraud have additional means to resolve other consequences that result from SIM swap and port-out fraud, we require wireless providers to give customers documentation regarding such fraud on their accounts, upon request. See NCLC/EPIC Comments at ii (arguing that the Commission should “[r]equire carriers to offer a redress program that . . . includes all information necessary for the customer to cooperate with law enforcement”). In the SIM Swap and Port-Out Fraud Notice, we recognized that “customers sometimes need documentation of the fraud incident to provide to law enforcement, financial institutions, or others to resolve financial fraud or other harms of the incident” and acknowledged that “[a] SIM swap or port-out fraud victim may have difficulty obtaining such documentation from the carrier because the carrier may not have processes in place to produce such documentation.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14144, para. 68. Requiring wireless providers to give fraud victims supporting documentation will enable those victims to seek remedies from other institutions for additional fraud that bad actors achieve using a victim’s SIM or phone number. We do not specify the form that such documentation must take or exactly what information it must contain, but it should be reasonably designed to permit customers to demonstrate to other entities that they were victims of SIM swap or port-out fraud and that bad actors may have used access to a victim’s telecommunications services to carry out additional fraud. Such documentation must address the customer’s interest in protecting his or her account(s) or identity but may be tailored not to include other proprietary, confidential, or law-enforcement-related information regarding the SIM swap or port-out fraud or the account. Additionally, because of the potential harms that can flow from SIM swap and port-out fraud, we also require wireless providers to provide this documentation promptly. 76. We anticipate that the benefits of our requirements will outweigh any potential costs. Although commenters did not address the costs of the additional measures we adopt here, we note that at least one wireless provider has already adopted processes for customers to report SIM swap and port-out fraud, to investigate and remediate such fraud, and to provide documentation of such fraud to customers upon request. See T-Mobile Comments at 5 (“If a customer is a victim of SIM swap or port-out fraud, T-Mobile takes rapid, responsive measures. Customers may report fraud or unauthorized activity by calling T-Mobile’s Customer Care hotline, which is available 24/7. When fraud occurs, T-Mobile’s Fraud Operations specialists act quickly to ensure all fraudulent changes are corrected and any wrongful T-Mobile account charges are refunded. T-Mobile also assists with phone number recovery and provides victims with documentation of the fraud upon request.”). We also anticipate that allowing wireless providers flexibility in how to abide by these new requirements will enable them to adopt cost-effective procedures that will also allow them to successfully resolve SIM swap and port-out fraud incidents when they occur. 77. To maintain the flexibility we believe will be required for wireless providers to adequately tailor and adapt their practices to address SIM swap and port-out fraud, we decline to impose prescriptive measures raised in the SIM Swap and Port-Out Fraud Notice and the record. Specifically, although we encourage wireless providers to establish a dedicated hotline for customers to report SIM swap and port-out fraud See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14145, para. 69; NCLC/EPIC Comments at 5 (“As suggested, a dedicated and well-publicized hotline should be one component.”) (footnote omitted). and respond within 24 hours of a customer reporting suspected fraud, NCLC/EPIC Comments at ii (asserting that the Commission should “[r]equire carriers to offer a redress program that . . . provides timely responses within 24 hours after a complaint is made”). we decline to require that wireless providers adopt these approaches. While the former requirement received support from the National Consumer Law Center (NCLC) and the Electronic Privacy Information Center (EPIC), we conclude that it may not benefit a wireless provider’s customers if it is inconsistent with a provider’s established customer service methods. The latter may be infeasible for certain incidents and is not necessary given our requirement that investigation and remediation be prompt. We also decline to require that wireless providers give customers an alternative number on a temporary basis after SIM swap or port-out fraud has occurred, Id. at 6 (asserting that carriers should “provide a safe alternative mobile telephone” during the mitigation process). as that may promote number resource exhaust in certain areas or for certain wireless providers. However, we encourage wireless providers to offer customers a temporary alternative number when the efforts to remediate SIM swap or port-out fraud may take a significant amount of time or to assist customers who have critical needs to be accessible via phone at the time. We also recognize that adequate remediation may require providing victims with permanent replacement numbers or SIMs, and carriers should effectively assist customers with that transition should that be necessary. We do not find it necessary at this time to require that wireless providers, upon being notified by a customer of fraud, provide “detailed records of the fraud [to law enforcement]” or “offer to the customer to notify financial institutions and creditors, the three national credit reporting agencies, and others of the fraud, to help the customer recover control over their identity, if appropriate.” NCLC/EPIC Comments at 6. While we encourage wireless providers to take these steps upon the request of customers as part of their mitigation efforts, we conclude that our new requirement that providers give customers documentation concerning fraudulent SIM swaps and number ports will be sufficient to allow those customers to alert appropriate entities if needed. We note, however, that we will monitor consumer complaints and may evaluate the remediation programs implemented by wireless providers. If we find that such programs are not adequately resolving SIM swap and port-out fraud in a timely manner, we may take steps to implement more specific requirements in the future. 78. Working Group. While we recognize that the harmful effects of SIM swap and port-out fraud may extend beyond the control of wireless providers and that the incentives to engage in such fraud implicate the security practices of other industries, See, e.g., AT&T Comments at 2 (“SIM swap or port-out [fraud] is only a small part of the scheme to harm the consumer, as these incidents implicate a range of stakeholders not controlled by carriers (e.g., financial institutions, cryptocurrency companies, text message aggregators) that all play a role in the verification of customer identity.”); T-Mobile Comments at 1-2 (“[C]ombatting SIM swap and port-out fraud is a team effort that requires action by an entire ecosystem that includes carriers and subscribers as well as financial institutions, email providers, retail websites, social media companies and others who rely on various customer authentication methods.”); CTIA Reply at 11 (“[T]he record makes it abundantly clear that others beyond the wireless sector need to engage to address the problem of fraudulent account takeovers.”). we decline at this time to direct or rely on standard-setting bodies, industry organizations, or consumer groups to evaluate SIM swap and port-out fraud “to augment our understanding and present possible solutions.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14146, para. 72. Instead, we find it most appropriate to focus on solutions within the scope of the Commission’s authority that we anticipate will mitigate the harmful consequences of this fraud. AT&T Comments at 8 (acknowledging that “SIM swap and port-out scams implicate third parties outside the Commission’s jurisdiction”). Additionally, to the extent that commenters advocated that we direct this issue to a working group before taking action, See, e.g., id. at 3 (asserting that the Commission should “first leverage existing resources and expertise . . . before deciding on a course of action”); Bandwidth Reply at 6 (“In order to fully explore and understand the full breadth of the issues and their potential solutions, Bandwidth agrees with those opening comments that recommend that the Commission support inclusive and consensus-driven industry efforts as its next step in this proceeding.”); cf. T-Mobile Comments at 14-15 (suggesting that “the FCC could coordinate with other regulators, such as financial services or healthcare regulators, on strategies” to address SIM swap and port-out fraud and that “[t]he Commission also may want to coordinate with NIST on addressing authentication issues”). we disagree with that approach and find that doing so would only delay solutions that we expect will benefit customers now. Although we decline to rely on a working group, we also do not foreclose wireless providers from forming or entering into cross-sector, multi-stakeholder efforts, independent of Commission direction, to seek broader solutions to the harms that may ultimately result from SIM swap and port-out fraud. See, e.g., CTIA Reply at 11 (“[T]he Commission should convene a cross-sector, multi-stakeholder working group to study the broader questions in the NPRM that go beyond the rule changes proposed.”). 79. Provider Liability and Dispute Resolution. We decline to adopt proposals in the record that prescribe provider liability and dispute resolution requirements for disputes between wireless providers and customers. 80. NCLC and EPIC argue that the Commission should “[r]equire carriers to offer a redress program that . . . provides full coverage of losses to customers who have been the victims of a fraudulent SIM swap or port-out fraud,” which they say would “[p]rovide strong financial incentives to providers to stop SIM swapping and port-out fraud.” NCLC/EPIC Comments at ii. We agree with CTIA, however, that telecommunications carriers are “but one link in the chain of consumer and business protection from account takeover fraud,” CTIA Reply at 13-14. and therefore that the responsibility for financial harms that a bad actor may be able to perpetuate following such fraud is borne by several parties, including, significantly, the bad actor. Imposing such liability on wireless providers would be inequitable and would reduce the incentives for e-mail and social media providers, financial institutions, healthcare providers, retail websites, and other entities that rely on cell phone-based identity authentication to improve their security practices, See id. (“[H]olding providers solely or presumptively liable risks undermining the incentives other players involved in SIM swap losses, such as banks and crypto wallets, have to prevent fraud. Such an approach also would be inequitable.”). as well as reduce the incentive for customers to act responsibly. For example, if customers knew that wireless providers must provide full coverage of losses resulting from SIM swap and port-out fraud, they might not be fully incentivized to place locks on their account or take appropriate action when they receive notice from their wireless providers about unauthorized SIM swap and port-out requests or failed authentication attempts. We note, however, that compliance with our rules is not a safe harbor for wireless providers; customers will still be able to pursue any existing remedies available by law. See, e.g., Al Weiss v. AT&T Inc., No. 6:23-cv-00120 (M.D. Fla., filed Jan. 23, 2023); Eman Bayani v. T-Mobile USA, Inc., No. 2:23-cv-00271 (W.D. Wash. filed Feb. 27, 2023); Samuel Whatley, II v. T-Mobile USA, Inc., No. 2:23-cv-1339-RMG-MGB (D.S.C. filed Apr. 3, 2023); Feliks Roitman and Yekaterina Shkolnik v. T-Mobile USA, Inc., No. 1:23-cv-06159 (E.D.N.Y., filed Aug. 16, 2023). 81. Similarly, we decline to specify, as NCLC and EPIC request, that wireless providers are “fully responsible for any abuse committed by its employees, whether the employees acted either intentionally or negligently,” NCLC/EPIC Comments at 10. although we make clear that this statement does not absolve wireless providers of any liability for employee actions that already exists. We anticipate that the requirements we adopt today—including employee training regarding SIM swap and port-out fraud and restrictions on the ability of employees to access CPNI prior to authentication—will ensure that wireless providers implement adequate procedures to prevent employees from perpetuating SIM swap and port-out fraud. 82. Finally, we decline to adopt NCLC and EPIC’s proposal that “any arbitration clauses in the providers’ agreements with consumers explicitly exclude resolutions” of SIM swap and port-out fraud disputes at this time. Id. at 6. They urge this because “[o]therwise, consumers who have not been made whole, or who have difficulties obtaining relief for frauds that are perpetrated on them because of the provider’s insufficiently strict authentication protocols, will have no meaningful way of enforcing the protections mandated by the Commission.” Id. The Commission has full authority to enforce the protections it has mandated, and we anticipate that the rules we adopt today, coupled with this enforcement authority, will incentivize wireless providers to adopt strong practices to protect customers from SIM swap and port-out fraud. Nonetheless, we seek comment below on whether the Commission should require providers to exclude disputes about SIM swapping or porting fraud from arbitration clauses. See infra Further Notice. We encourage customers and public interest organizations to submit complaints and evidence of wireless providers failing to comply with these new rules in support of our enforcement efforts. D. Implementation Timeframe 83. We require wireless providers to comply with the requirements we adopt today six months after the effective date of the Report and Order or, for those requirements subject to review by the Office of Management and Budget (OMB), upon completion of that review, whichever is later. We conclude that providing six months to achieve compliance with rules that are not subject to OMB review accounts for the urgency of safeguarding customers from these fraudulent schemes, and will allow wireless providers to coordinate any updates needed to their systems and processes to comply with the Safe Connections Act and the rules we adopt to implement that statute. See generally Safe Connections Order. But see Letter from Steven F. Morris, Vice President & Deputy General Counsel, NCTA – The Internet & Television Association, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 21-341 et al., at 2 (filed Nov. 7, 2023) (requesting an 18 month implementation timeframe, asserting that additional time is needed because “there are numerous steps required for providers to implement [changes to their subscription and account management procedures and systems], including, for example, IT grooming, design and development, unified customer communications notification and development, development testing, quality assurance testing, user acceptance testing, and training”); NTCA Nov. 8, 2023 Ex Parte Letter at 2 (expressing support for the 18-month implementation timeframe requested by NCTA); CCA Nov. 9, 2023 Ex Parte Letter at 1-2; CTIA Nov. 8, 2023 Ex Parte Letter at 2 (requesting an implementation timeframe of 24 months, or at a minimum 18 months, for the same reasons, and given that “providers are simultaneously preparing to come into compliance with the Safe Connections Act and its implementing regulations”). SIM swap and port-out fraud can result in substantial harm to the customer, including loss of service on their devices. Fraudulent SIM swaps and port-outs allow bad actors to perpetrate greater fraud by giving them the means to complete text and voice authentications to access the victim’s other accounts, and as such, we find that an aggressive implementation timeframe is appropriate to provide these important consumer protections without substantial delay. We agree with some commenters that while many wireless providers can immediately implement the revisions to our CPNI and number porting rules, other providers may require this additional time. See T-Mobile Comments at 13-14 (“While some of the changes proposed by the FCC can be implemented immediately, others may require a longer implementation timeframe.”); NCTA Comments at 8 (“[I]t is important to provide sufficient time for carriers to implement [new obligations] in a way that is robust, thorough, and clear so that they do not cause customer confusion”). Some wireless providers already employ authentication See, e.g., AT&T Comments at 13 (“Carriers are already authenticating customers using one or more of the methods identified in the Commission’s existing and/or proposed rules.”); id. at 6-7 (describing its routine use of “a one-time PIN delivered via SMS message or an outbound voice call to a postpaid customer’s device for enhanced customer validation,” and its “Number Transfer PIN process to validate postpaid port-out transactions”); CCA Comments at 3-4 (describing U.S. Cellular’s assigning of a PIN code to each customer that is used for customer authentication); Better Identity Coalition Comments at 4 (noting that “two major mobile network operators already support FIDO authentication for their customers”); NCTA Comments at 4-5 (describing authentication measures some wireless providers already use, including account PINs); T-Mobile Comments at 4 (“T-Mobile offers various customer authentication options, which may vary based on customer, account, and device characteristics.”); Verizon Comments at 8-9 (describing current authentication measures, including a transaction-specific “Number Transfer PIN” and notifying customers of port requests via text message and email); CTIA Comments at 3-4 (noting that some providers already employ multi-factor authentication when account changes are requested). and notification See, e.g., AT&T Comments at 6 (explaining that for transactions meeting a certain threshold of AT&T’s “risk model,” it will send one-way SMS notifications of a SIM change request, and for transactions meeting a higher risk threshold, it will require customers confirm the SIM change request via an SMS notification); T-Mobile Comments at 4 (noting that “T-Mobile notifies customers of account changes and requests”); Verizon Comments at 6 (“Verizon already . . . notif[ies] customers of high-risk SIM change authentication attempts, failed or otherwise, and of other account changes.”); CCA Comments at 3-4 (describing the current procedures that T-Mobile, U.S. Cellular, and GCI use to notify customers of a change to their account or port-out request, and that other members are “similarly adopting heightened security measures”); CTIA Comments at 3-4 (explaining that some providers notify customers when a SIM swap is initiated). measures to process SIM change and port-out requests, offer account change locks, See, e.g., T-Mobile Comments at 4 (“[F]or most types of customers, T-Mobile can institute a ‘SIM change block’. . .”); NCTA Comments at 4-5 (“Wireless providers already . . . provid[e] the ability to lock or freeze wireless accounts.”); CTIA Reply at 26-27 (“[M]any providers already offer account freeze options to their customers.”); CCA Comments at 3-4 (describing T-Mobile’s “Account Takeover Protection” service, which “blocks unauthorized users from porting numbers and allows only the billing responsible party to turn the feature off”). provide notice to customers about available fraud protection measures, AT&T Comments at 7 (“AT&T’s website provides information about SIM swap scams and misuse of the porting process and offers guidance about how customers can protect themselves against such fraud.”); T-Mobile Comments at 5-6 (“T-Mobile publishes Safety Tips to educate subscribers on how to protect themselves online and directs customers to additional resources on identity theft and online safety from the FTC, CTIA, and others. T-Mobile’s online resources also inform the customer of what to do if they believe someone has made unauthorized charges to their account.”) (footnote omitted); CTIA Comments at 4 (stating that “[it] provides resources for consumers on steps that they can take to protect their wireless accounts”). and train employees on how to address SIM swap and port-out fraud, See, e.g., Verizon Comments at 3 (“Verizon also trains all customer care employees to identify and prevent unauthorized SIM change attempts through the use of multiple authentication protocols. . . . Customer care employees identifying potentially fraudulent SIM changes refer those reports to dedicated investigative teams.”); T-Mobile Comments at 5 (“T-Mobile trains its employees on how to recognize fraud and account takeover attempts and how to respond if fraud occurs.”); CTIA Comments at 3-4 (listing employee training as an example of the tactics providers use to combat SIM swap and port-out fraud); CTIA Reply at 7-8 (“AT&T reports that its customer service agents complete mandatory training, including on fraud prevention, authentication, social engineering, protection of CPNI, and account verification.”). and may simply need to refine those practices to align with our rules. Other providers, particularly smaller providers, may need the additional time to upgrade their systems, implement modifications to their policies and procedures, and conduct new customer service representative training. See, e.g., NCTA Comments at 8 (“Many of the potential solutions might require modifications to internal systems, as well as significant training of company personnel.”). We conclude that providing six months after the effective date of the Report and Order to implement these revisions to our CPNI and number porting rules strikes the right balance between time for wireless providers to implement these changes and accounting for the urgency of safeguarding customers from these fraudulent schemes. We also find that this implementation timeframe is consistent with other proceedings and regulatory frameworks adopted by the Commission where consumer protection and numbering requirements were at issue. See, e.g., 2007 CPNI Order, 22 FCC Rcd at 6958, para. 61 (concluding that six months was sufficient for carriers to implement the revised CPNI rules to address pretext (except for certain small carriers) “in light of the importance of this issue to the public interest”); 2007 LNP Four Fields Declaratory Ruling, 22 FCC Rcd at 19552, 19557, paras. 40, 48 (concluding that 90 days was sufficient time for carriers to comply with LNP validation requirements and requiring interconnected VoIP providers and their numbering partners to comply with LNP obligations 30 days after Federal Register publication, subject to OMB review and approval). While we acknowledge industry’s concerns that implementing these new rules will be a multistep process for many providers, See, e.g., CTIA Nov. 8, 2023 Ex Parte Letter at 2-3. providers themselves acknowledge the necessity of implementing today’s revisions to our CPNI and LNP rules concurrently with our rules implementing the Safe Connections Act, given how both frameworks address many of the same actions (e.g., account locks, customer notifications, customer authentication). See, e.g., NCTA Nov. 7, 2023 Ex Parte Letter at 2-3 (“[M]any of the requirements that will be imposed in connection with the Safe Connections item operate as exceptions to the verification and security requirements that will be imposed in the SIM Swap and Port-Out Fraud item.”). And as we explain in the Safe Connections Order, “permitting a more extended compliance timeframe for implementing the line separation provisions, as advocated for by industry commenters, would be inconsistent with the urgency Congress demonstrated with the underlying statutory obligation as well as with the critical wireless communications needs of survivors well-documented in the record.” Safe Connections Order, FCC 23-96, at para. 103. For all of these reasons, we require wireless providers to implement the rules we adopt today six months after the effective date of this Report and Order, subject to review by OMB. E. Legal Authority 84. The rules we adopt today build on the Commission’s existing rules to implement Congress’s mandates to ensure that telecommunications carriers (which include, for purposes of our CPNI rules, providers of interconnected VoIP service) protect the confidentiality of proprietary information of, and relating to, customers and to provide number portability in accordance with requirements prescribed by the Commission. As such, the rules we adopt are well-grounded in our authority in sections 222 and 251, as well as other provisions of the Act. 85. SIM Changes. Congress, through section 222 of the Act, requires telecommunications carriers to protect the privacy and security of customers’ proprietary information that carriers obtain by virtue of providing a telecommunications service. Congress extended this duty and others described herein to wireless providers. See 47 U.S.C. § 332(c)(1)(A) (“A person engaged in the provision of a service that is a commercial mobile service shall, insofar as such person is so engaged, be treated as a common carrier for purposes of this chapter.”). Under section 222(a), every telecommunications carrier has a “duty to protect the confidentiality of proprietary information of, and relating to, . . . customers.” 47 U.S.C. § 222(a). Section 222(c)(1) provides that a telecommunications carrier may only use, disclose, or permit access to customers’ individually identifiable CPNI that it has received or obtained by virtue of its provision of a telecommunications service in limited circumstances: (1) as required by law; (2) with the customer’s approval; or (3) in its provision of the telecommunications service from which such information is derived or its provision of services necessary to, or used in, the provision of such telecommunications service. 47 U.S.C. § 222(c)(1). 86. The Commission has previously stated that to comply with these section 222 requirements, “telecommunications carriers [must] establish effective safeguards to protect against unauthorized use or disclosure of CPNI.” See 2007 CPNI Order, 22 FCC Rcd at 6932, para. 9 (citing the CPNI Order, 13 FCC Rcd at 8195, para. 193). We note that the Commission’s CPNI rules apply not only to telecommunications carriers that are subject to Title II of the Act, but also to interconnected VoIP providers.  See id. at 6954-57, paras. 54-59 (relying on the Commission’s Title I ancillary jurisdiction to apply CPNI rules to interconnected VoIP service providers); see also 47 CFR § 64.2003(o) (“For the purposes of this subpart, the term ‘telecommunications carrier’ or ‘carrier’ shall include an entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules.”). The Commission also has established rules pursuant to its section 222 authority to ensure such safeguards are in place. Among other things, the Commission’s rules require carriers to take “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI” and to “properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit.” 47 CFR § 64.2010(a); see also 2007 CPNI Order, 22 FCC Rcd at 6959-60, paras. 63-66. Like these safeguards, our action today “strengthen[s] our privacy rules by adopting additional safeguards to protect customers’ CPNI against unauthorized access and disclosure.” 2007 CPNI Order, 22 FCC Rcd at 6928, para. 1. 87. Fraudulent SIM swaps result in unauthorized disclosure of and access to customers’ accounts, including individually identifiable CPNI. The Act defines CPNI as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.” 47 U.S.C. § 222(h)(1). By successfully obtaining a fraudulent SIM swap, a bad actor can access CPNI such as incoming call information (including the date and time of the call and number from which the call is made), and gain access to a victim’s account, potentially giving the bad actor access to other CPNI, like outgoing call history (including numbers called and the location, frequency, duration, and timing of such calls) See 2007 CPNI Order, 22 FCC Rcd at 6936, para. 13 & n.45 (defining this information as call detail information and finding it to be CPNI). and the victim’s bills and the services purchased by the victim. And as described above, fraudulent SIM swaps allow bad actors to perpetrate greater fraud by giving them the means to complete text and voice authentications to access the victim’s other accounts. See supra section II. 88. In light of the foregoing, we find that the rules we adopt today to address SIM swap fraud advance the protections against unauthorized disclosure of, and access to, individually identifiable CPNI and other sensitive personal information about customers, and therefore are squarely grounded in the Commission’s authority under section 222. Our requirement that wireless providers use secure methods of authenticating their customers that are reasonably designed to confirm a customer’s identity prior to effectuating a SIM change request will help prevent unauthorized disclosure of and access to such information. This requirement also sustains customer decisions regarding disclosure of their information—if a wireless provider completes a SIM change requested by someone other than the actual customer, then the wireless provider has not obtained the customer’s approval to disclose their CPNI in accordance with section 222(c)(1). Section 222(f) of the Act also provides that for purposes of section 222(c)(1), without the “express prior authorization” of the customer, a customer shall not be considered to have approved the use or disclosure of or access to (1) call location information concerning the user of a commercial mobile service or (2) automatic crash notification information of any person other than for use in the operation of an automatic crash notification system.” 47 U.S.C. § 222(f). 89. The other rules we adopt reinforce the protections afforded by this new rule. For instance, the requirement that wireless providers develop, maintain, and implement procedures to respond to failed authentication attempts will likewise serve to prevent unauthorized disclosure of and access to CPNI. The rule requiring that wireless providers establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI until after the customer has been properly authenticated will prevent inadvertent disclosure of CPNI to those making unauthorized requests and inhibit the ability of employees to participate in fraudulent SIM swaps. Employee training requirements will not only improve their ability to recognize and derail fraudulent SIM change requests, such requirements will better prepare customer service representatives to address customer complaints and remediate fraudulent SIM swaps when they do occur. Requiring wireless providers to maintain a clear process for customers to report fraud, investigate and remediate fraud, and provide customers with documentation of fraud involving their accounts will ensure that the harms of SIM swap and port-out fraud are mitigated when it does occur. And the requirement that wireless providers keep records of data regarding SIM change requests and the authentication measures they have in place will help ensure that wireless providers have information they need to measure the effectiveness of their customer authentication and account protection measures and make informed decisions about how they should be updated over time. 90. Our rules also further the goals of section 222 by enabling customers to take action to prevent and address fraudulent SIM changes, and therefore help wireless providers protect against unauthorized disclosure and access to CPNI. The requirement that wireless providers immediately notify customers regarding SIM change requests provides added protection by giving customers information they can use to notify their providers that a fraudulent request has occurred at the time of the request or shortly thereafter so that the provider can take timely steps to remediate the situation. Requiring wireless providers to offer customers the option to lock their accounts so that their providers are prohibited from processing SIM changes gives security-minded customers or those who are at high risk of fraud a tool to prevent a fraudulent request from being processed in the first instance. Additionally, our new rule that wireless providers make notice of account protection mechanisms easily accessible via their websites and applications ensures that customers are aware of these tools. We also conclude that the requirements we establish to promptly resolve SIM swap and port-out fraud extend from our section 222 authority because they will help to mitigate the unauthorized disclosure of and access to CPNI. 91. Finally, the new customer authentication requirements, with which both facilities-based providers and resellers must comply, apply to both pre-paid and postpaid services, which is consistent with section 222(a)’s mandate that “[e]very telecommunications carrier . . . protect the confidentiality of [customer] proprietary information” and section 222’s instruction that all “customers” of those carriers benefit from such protections. 47 U.S.C. § 222(a) (emphasis added); 47 U.S.C. §§ 222(a), (c)(1), (h)(1) (all referring to “customers” of telecommunications carriers without distinguishing between customers who subscribe to pre-paid and postpaid service). 92. While section 222 provides firm foundation for our rules to address SIM swap fraud, we also find that section 251(e) of the Act provides additional authority for these rules. 47 U.S.C. § 251(e). In section 251(e)(1), Congress expressly assigned to the Commission exclusive jurisdiction over that portion of the North American Number Plan (NANP) that pertains to the United States and related telephone numbering issues. 47 U.S.C. § 251(e)(1). The Commission retained its “authority to set policy with respect to all facets of numbering administration in the United States.” Implementation of the Local Competition Provision of the Telecommunications Act of 1996 et al., CC Docket No. 96-98 et al., Second Report and Order and Memorandum Opinion and Order, 11 FCC Rcd 19392, 19512, para. 271 (1996) (Local Competition Second Report and Order) (explaining that by retaining exclusive jurisdiction over numbering policy the Commission preserves its ability to act flexibly and expeditiously). Because our new SIM change rules prevent and address misuse of NANP numbers assigned to wireless devices, we conclude that those rules are supported by our exclusive numbering authority within section 251(e). 93. Number Porting. We rely on our authority derived from sections 1, 2, 4(i), 251(e), and 332 of the Act to implement the changes to our number porting rules to address port-out fraud. As the Commission has consistently found since 1996, “[w]e possess independent authority under sections 1, 2, 4(i), and 332 of the Communications Act of 1934, as amended, to require CMRS providers to provide number portability as we deem appropriate.” First Number Portability Order, 11 FCC Rcd at 8431, para. 153; see also First Number Portability Order on Reconsideration, 12 FCC Rcd at 7315, para. 141; LNP Standard Fields Order, 25 FCC Rcd at 6955 n.10; Porting Interval Order and FNPRM, 24 FCC Rcd at 6085 n.8; 2007 VoIP LNP Order, 22 FCC Rcd at 19534 n.11. We rely on this well-established authority to adopt number porting rules applicable to wireless providers that address port-out fraud. 94. We also find that the exclusive numbering authority that Congress granted this Commission under section 251(e)(1) provides ample authority to extend the LNP requirements as set out in this Report and Order. Specifically, in section 251(e)(1) of the Act, Congress expressly assigned to the Commission exclusive jurisdiction over that portion of the NANP that pertains to the United States and related telephone numbering issues. 47 U.S.C. § 251(e)(1). The Commission retained its “authority to set policy with respect to all facets of numbering administration in the United States.” Local Competition Second Report and Order, 11 FCC Rcd at 19512, para. 271 (explaining that by retaining exclusive jurisdiction over numbering policy the Commission preserves its ability to act flexibly and expeditiously). We find that the revisions to our number porting rules designed to protect the customers from port-out fraud fit comfortably within our exclusive numbering authority because the requirements we establish to prevent and promptly resolve port-out fraud are necessary to address improper use of numbering resources and ensure that customers can recover their numbers when fraudulent ports have occurred. See, e.g., 2007 VoIP LNP Order, 22 FCC Rcd at 19543, para. 22 (explaining that to the extent service providers provide services that offer customers NANP telephone numbers, those service providers subject themselves to the Commission’s plenary authority under section 251(e)(1) with respect to those numbers, and using that plenary authority to extend local number portability requirements to interconnected VoIP providers and their numbering partners). 95. Other Sources of Authority. While the provisions discussed above provide sufficient authority for the entirety of the rules we adopt in this Report and Order, we find additional support under sections 201 and 303. Sections 201 and 303 of the Act generally give the Commission authority for prescribing rules, but we also rely on these sources of authority as described herein. See 47 U.S.C. § 201(b) (“The Commission may prescribe such rules and regulations as may be necessary in the public interest to carry out the provisions of this chapter.”); AT&T Corp. v. Iowa Utils. Bd., 525 U.S. 366, 378 (1999) (holding that the last sentence in section 201(b) “means what it says: The FCC has rulemaking authority to carry out the ‘provisions of this Act,’” including provisions added by the Telecommunications Act of 1996); 2007 CPNI Order, 22 FCC Rcd at 6943, para. 27 n.94 (“Section 201(b) authorizes the Commission to ‘prescribe such rules and regulations as may be necessary in the public interest to carry out the provisions of this Act,’ including section 222.”); 47 U.S.C. § 303 (“Except as otherwise provided in this chapter, the Commission from time to time, as public convenience, interest, or necessity requires, shall—(r) Make such rules and regulations and prescribe such restrictions and conditions, not inconsistent with law, as may be necessary to carry out the provisions of this chapter.”). 96. Section 201(b) authorizes the Commission to prescribe rules to implement carriers’ statutory duty not to engage in conduct that is “unjust or unreasonable.” 47 U.S.C. § 201(b). We conclude that practices that allow for fraudulent SIM swaps and number ports are unjust and unreasonable because they are contrary to the reasonable expectations of customers, are not reasonably avoidable by customers, and can cause substantial customer harm. We also rely on our section 201(b) authority to find that the inability for customers to effectively seek remedies from their wireless providers when fraudulent SIM swaps and port outs have occurred is “unjust and unreasonable,” and therefore warrants these rules. Id. We would also find these practices unjust and unreasonable when a wireless provider says it will implement reasonable measures to prevent fraudulent SIM swaps and number ports but fails to do so. Our findings here are similar to and consistent with how the Federal Trade Commission (FTC) addresses inadequate data security measures under section 5 of the FTC Act. Privacy and Security Enforcement, Federal Trade Commission, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement (last visited Oct. 18, 2023) (“The FTC has brought legal actions against organizations that . . . misled [consumers] by failing to maintain security for sensitive consumer information.”). 97. We also rely on our broad authority under Title III, which allows us to protect the public interest through spectrum licensing. Pursuant to section 303(b)’s directive that the Commission must, consistent with the public interest, “[p]rescribe the nature of the service to be rendered by each class of licensed stations and each station within any class,” 47 U.S.C. § 303(b); Cellco P’ship v. FCC, 700 F.3d 534, 542-43 (D.C. Cir. 2012). these revisions to our CPNI and number porting requirements prescribe the conditions under which licensed wireless providers must provide their services. They specifically require licensed wireless providers to provide their services in a way that protects the interests of their customers, including reasonable measures to prevent fraudulent acts against their customers. IV. FURTHER NOTICE OF PROPOSED RULEMAKING 98. Harmonizing the CPNI Safeguards Rules. In this Further Notice, we first seek comment on whether to harmonize the existing requirements governing customer access to CPNI See 47 CFR § 64.2010. with the SIM change authentication and protection measures we adopt today. This Further Notice expands on questions the Commission asked in the SIM Swap and Port-Out Fraud Notice and several comments in the record, but seeks more targeted feedback on a specific approach. In particular, in the SIM Swap and Port-Out Fraud Notice, the Commission asked “whether any new or revised customer authentication measures . . . would offer benefits for all purposes.” SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14136, para. 44. The Commission also asked whether there are “benefits to providing expanded authentication requirements before providing access to CPNI to someone claiming to be a carrier’s customer,” as well as “whether any heightened authentication measures required (or prohibited) should apply for access to all CPNI, or only in cases where SIM change requests are being made.” Id. at 14137, para. 46. Additionally, the Commission proposed to add a prohibition on the use of recent payment and call detail information to authenticate customers for online access to CPNI. See id. at 14132-33, para. 30. 99. Several commenters suggested that we harmonize our CPNI authentication rules with the SIM change authentication rules we adopt. See, e.g., CTIA Reply at 21-22 (advocating for “a harmonized approach to the Commission’s authentication standards across a variety of settings with respect to CPNI access”) (emphasis in original); Princeton Comments at 8 (“The Commission should modernize and harmonize baseline authentication requirements for telephone access to CPNI, online access to CPNI, SIM swaps, and number portability authentication methods.”); Verizon Comments at 7-8 (“The Commission should thus align the existing authentication rules to the NPRM’s flexible, non-prescriptive approach by requiring providers to use security [sic] authentication methods for CPNI access without dictating the provider’s method.”). These commenters offered several rationales that potentially support harmonization of these rules, including that: (1) the CPNI authentication requirements are outdated and therefore vulnerable to fraud; See, e.g., CTIA Comments at 18 (asserting that the CPNI rules “do not reflect the most up-to-date authentication best practices”); Verizon Comments at 7 (asserting that “[m]any customer authentication and security tools have surpassed the effectiveness of [the current CPNI rules for customer authentication]”); FIDO Alliance Comments at 4 (“In general, industry and government are moving away from knowledge-based approaches to authentication (i.e. passwords).”); Robert Ross Comments at 7 (“[I]n-store authentication is highly susceptible to human error by store personnel.”); AT&T Comments at 5 (“But no method of authentication is foolproof or effective in every instance. Customers forget passwords and lose their IDs (often at the same time they lose their wireless device). By the same token, passwords can be socially engineered, hacked or stolen, and driver’s licenses and other government-issued ID cards can be faked.”); but see AT&T Comments at 5 (“Anti-fraud measures developed consistent with the Commission’s existing authentication requirements protect consumers in most instances.”). (2) inconsistent rules are more burdensome on carriers; See, e.g., Princeton Comments at 8 (“The Commission’s proposed rules would establish five separate customer authentication standards: (1) telephone access to CPNI, (2) online access to CPNI, (3) in-store access to CPNI, (4) SIM swaps, and (5) number portability.”); Princeton Comments at 10 (“[A] unified approach will be easier to implement: carriers need only adopt one compliant customer authentication system for all account access and operations.”). (3) some carriers default to specified authentication measures and are disincentivized from adopting more secure measures; See, e.g., AT&T Comments at 14 (“Moreover, locking in a particular list of authentication methods would play into bad actors’ hands by discouraging carriers from adopting new methods not expressly blessed by the Commission’s rule, while inhibiting the ability of carriers and other stakeholders to innovate, as necessary and appropriate, to address evolving threats.”). (4) a prescribed list provides a road map for bad actors; See, e.g., AT&T Comments at 14-15 (asserting that “fixed authentication methods for SIM changes and port-outs will provide a roadmap to bad actors”); CTIA Comments at 11 (“[R]igid and prescriptive requirements hurt security more than they may help. . . . To this point, the NPRM asks whether ‘requiring specific methods of authentication provides a ‘roadmap’ to bad actors.’ The answer is a resounding yes.”) (footnote omitted). and (5) the existing CPNI authentication requirements could undermine stronger authentication measures for SIM changes and number ports. See, e.g., Princeton Comments at 10 (describing how “a unified approach to customer authentication avoids subtle inconsistencies between levels of authentication that could undermine multi-factor authentication” used for SIM swaps and number ports). Harmonization also would be consistent with commenters’ assertions that carriers need flexibility to implement more secure authentication measures. See, e.g., CCA Comments at 5 (“[T]he Commission should allow for flexibility for carriers to respond quickly and nimbly to new threats and to encourage adopting innovative solutions to threats.”); Princeton Comments at 4 (“Authentication methods and security practices continue to evolve, and carriers should be welcome—and encouraged—to adopt innovative safeguards.”); Somos Comments at 2 (“As with most fraud the telecom industry suffers, the bad actors are constantly evolving. Solutions should evolve, as well.”); Verizon Comments at 7 (“To keep ahead of bad actors, providers need flexibility to employ other more secure alternatives to passwords and government-issued IDs.”); Better Identity Coalition at 4 (“Any regulatory approach that seeks to tie MNOs to using specific authentication technologies is certain to fail to keep up as threat and security both evolve.”). We seek comment on these justifications. 100. We also seek comment on other potential justifications for harmonization. For instance, we tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers, including small carriers. We further tentatively conclude that multiple authentication standards and protection requirements may be confusing for customers. Are these tentative conclusions correct? 101. We seek comment on any reasons why we should not harmonize our CPNI and SIM change authentication rules. For example, would it be costly and burdensome for carriers, particularly small carriers, to adjust the CPNI authentication and protection practices they have already implemented to comply with the authentication requirements we adopted today? Are there other reasons harmonized rules would increase the costs or burdens on carriers, including small carriers? Is there anything unique about CPNI or SIM changes that warrants different authentication measures?  For instance, even if the existing measures for CPNI authentication may be outdated and less secure, are modifications to the rules unwarranted because the risk of harm from unauthorized access to CPNI is lower than from SIM swap fraud? 102. If we do choose to harmonize the rules addressing customer access to CPNI with our new SIM change safeguards, we seek comment on the extent to which the rules should be harmonized. We seek comment whether to remove the prescriptive authentication requirements in our current CPNI rules See 47 CFR § 64.2010(b)-(e). and replace them with the single requirement that carriers use secure methods of authenticating the identity of a customer prior to disclosing CPNI. We also seek comment on whether to use the same definition of secure methods of authentication, which are those that are reasonably designed to confirm a customer’s identity and excluding use of readily available biographical information, account information, recent payment information, call detail information, or any combination of these factors. See supra section III.A.1. Additionally, we seek comment on whether the procedures we require carriers to adopt for responding to failed authentication attempts in connection with SIM change requests should apply to all other CPNI authentications as well. See supra section III.A.2. We also seek comment on whether the CPNI customer access rules should be harmonized with any of the other SIM change protections we adopt today. Should the limits on access to CPNI by employees who receive inbound customer communications prior to authentication of the customer apply to all telecommunications carriers? Should the CPNI rules only be harmonized to include some of these measures? If so, which measures should and should not be harmonized and why? Should we harmonize the customer notification rules for all account changes? Additionally, are there any other rules that would need to be modified for consistency if we harmonize the CPNI rules, such as the Commission’s Telecommunications Relay Service (TRS) CPNI rules? See, e.g., 47 CFR § 64.5110. Should the Commission apply any harmonized rules to all customer proprietary information? 103. We tentatively conclude that we should rely on the same legal authority we used to originally implement the CPNI authentication rules in order to harmonize any of the CPNI rules, and seek comment on this tentative approach. In the 2007 CPNI Order, as with the rules we adopted today, we relied primarily on section 222 to implement the CPNI authentication rules, and we tentatively conclude this provision continues to provide us with sufficient authority to harmonize those rules with the SIM change rules. See 2007 CPNI Order, 22 FCC Rcd at 6930-31, paras. 4-6; supra section III.E. We seek comment on this tentative conclusion. We also seek comment on whether there are any legal implications for the harmonization approach we propose. For instance, in the 2016 Broadband Privacy Order, the Commission harmonized the CPNI rules for voice providers with those it had adopted for broadband Internet access service providers, See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Report and Order, 31 FCC Rcd 13911, 13913, para. 3 (2016). but those rules were nullified by Congress pursuant to the Congressional Review Act, Joint Resolution, Pub. L. No. 155-22 (2017). which prohibits the Commission from reissuing a disapproved rule “in substantially the same form” and from issuing a new rule “that is substantially the same as such a rule.” 5 U.S.C. § 801(b)(2). We tentatively conclude that the 2017 action by Congress has no effect on the options we may consider here and seek comment on this tentative conclusion. 104. Harmonizing Government Efforts to Address SIM Swap and Port-Out Fraud. We seek comment on what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. T-Mobile Comments at 14 (“[T]he FCC could coordinate with other regulators, such as financial services or healthcare regulators, on strategies. Other regulators may consider new rules on authentication and steer companies away from relying on methods that are not suitable given the nature and sensitivity of information or functions being accessed.”). As several commenters noted, SIM swap and port-out fraud implicates the authentication practices of other industries. See, e.g., Verizon Comments at 7 (“While a wireless provider’s practices could prove to be reasonable, effective and thorough, the fraud prevention practices of the customer’s financial institution, or the customer’s email provider, may not.”); AT&T Comments at 2 (“SIM swap or port-out [fraud] is only a small part of the scheme to harm the consumer, as these incidents implicate a range of stakeholders not controlled by carriers (e.g., financial institutions, cryptocurrency companies, text message aggregators) that all play a role in the verification of customer identity.”); T-Mobile Comments at 1-2 (“[C]ombatting SIM swap and port-out fraud is a team effort that requires action by an entire ecosystem that includes carriers and subscribers as well as financial institutions, email providers, retail websites, social media companies and others who rely on various customer authentication methods.”); CTIA Comments at 2 (“All actors across the mobile and Internet ecosystem—including financial and social media companies whose users’ accounts are often targeted—must work together to thwart the bad actors that perpetrate these crimes.”); CCA Comments at 1 (“[M]obile customers’ phones have become the link between an individual’s sensitive health records, banking and financial information, email, and social media accounts. SIM swap and port out fraud are two methods that malicious actors increasingly are using not only to steal mobile accounts, but also to engage in broader identity theft.”); Princeton Comments at 12 (“SIM swaps are an increasing attack vector for online account compromises, especially in the financial services sector.”). We recognize that there may be other efforts within the government to tackle SIM swap and port-out fraud to address the broader implications of these harmful practices. We seek information about those other efforts and the extent to which they seek to address the practices of wireless providers. We also seek comment on how the Commission can work with other government entities to harmonize our approaches to addressing SIM swap and port-out fraud. 105. Customer Notification of Failed Customer Authentication Attempts. We seek comment on whether we should require wireless providers to immediately notify customers in the event of a failed authentication attempt, See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14133, para. 33 (seeking comment on what processes providers can implement to prevent bad actors from attempting multiple authentication methods, including potentially notifying customers). except to the extent otherwise required by the Safe Connections Act of 2022 (47 U.S.C. § 345) or the Commission’s rules implementing that statute. See Safe Connections Order, FCC 23-96, at para. 52 and Appx. A (new 47 CFR § 64.6402(b)) (requiring that covered providers attempt to authenticate, using multiple authentication methods if necessary, that a survivor requesting a line separation is a user of a specific line or lines) (emphasis added); id. at para. 100 and Appx. A (revised 47 CFR § 64.2010(f)(2)) (clarifying that the rule requiring carriers to notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed does not apply when such changes are made in connection with a line separation request made pursuant to the Safe Connections Act); id. at para. 77 and Appx. A (new 47 CFR § 64.6402(i)) (prohibiting a covered provider from notifying a primary account holder of a survivor’s request for a SIM change when made in connection with a line separation request pursuant to 47 U.S.C. § 345 and the implementing rules); id. at para. 101 (making clear that compliance with the Safe Connections Act and rules implementing it supersede and preempt any conflicting obligations under state law, Commission’s rules, or state rules). We believe that such notifications could empower customers to take action to prevent unauthorized access to their account when failed authentication attempts are fraudulent. Should we require all telecommunications carriers to provide such notifications to customers? In the event the Commission were to require such notifications, we tentatively conclude that the notifications should be reasonably designed to reach the customer associated with the account but otherwise would permit wireless providers to determine the method of providing these notifications, taking into consideration the needs of survivors pursuant to the Safe Connections Act and our implementing rules. We also tentatively conclude that such notifications should use “clear and concise language” but do not propose to prescribe particular content or wording for the notifications. 106. Industry commenters assert that “a carrier does not typically know why a customer authenticates until after the customer has successfully authenticated.” CTIA Nov. 8, 2023 Ex Parte Letter at 6-7; AT&T Nov. 8, 2023 Ex Parte Letter at 3. Based on these assertions, should we permit carriers to employ “reasonable risk assessment techniques to determine when a failed authentication attempt requires customer notification,” AT&T Nov. 8, 2023 Ex Parte Letter at 3 or require notification only in instances of multiple failed attempts, or when there is reasonable suspicion of fraud? See CCA Nov. 9, 2023 Ex Parte Letter at 2; CTIA Nov. 8, 2023 Ex Parte Letter at 7. What are the benefits and costs of doing so, for both providers and customers? If we were to require customer notification only where there were multiple failed authentication attempts, what standard would we use to determine what constitutes “multiple,” and how would providers track multiple authentication attempts across different platforms (i.e., phone, application, and website)? 107. Other Consumer Protection Measures. We reiterate the Commission’s request for comment on whether there are any additional requirements the Commission should consider that would help protect customers from SIM swap or port-out fraud or assist them with resolving problems resulting from such incidents. See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14144, para. 68. For example, should we require wireless providers to explicitly exclude resolution of SIM change and port-out fraud disputes from arbitration clauses in providers’ agreements with customers or abrogate such clauses? NCLC/EPIC Comments at 6. Would this provide meaningful additional protections to customers from SIM swap and port-out fraud? What would be the costs to wireless providers, particularly small providers, from such a requirement? 108. Digital Equity and Inclusion. Finally, the Commission, as part of its continuing effort to advance digital equity for all, Section 1 of the Communications Act of 1934 as amended provides that the FCC “regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” 47 U.S.C. § 151. including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations The term “equity” is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 Fed. Reg. 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (January 20, 2021). and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well as the scope of the Commission’s relevant legal authority. V. PROCEDURAL MATTERS 109. Paperwork Reduction Act Analysis. This Report and Order may contain new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. All such requirements will be submitted to OMB for review under Section 3507(d) of the PRA. OMB, the general public, and other Federal agencies will be invited to comment on any new or modified information collection requirements contained in this proceeding. In addition, we note that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. § 3506(c)(4), we previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. 110. In this Report and Order, we have assessed the effects of required customer notifications and notices, and related recordkeeping requirements, to protect customers from SIM swap and port-out fraud, and find that they do not place a significant burden on small businesses. Although no commenters specifically addressed whether such requirements may place burdens on small wireless providers, we note that CCA advised the Commission to “keep in mind the constraints with which many small carriers operate against in adopting security measures,” asserting that any rules “should allow carriers to use technologies that are reasonably available and have choice in the approach to take in authenticating their customers.” CCA Comments at 6. See also RWA Comments at 12-13 (advocating for uniform authentication standards to avoid anticompetitive effects and other costs or burdens on small wireless providers). As a general matter, the baseline, flexible rules we adopt reflect our recognition that, in some cases, strict prescriptive requirements to prevent SIM swap and port-out fraud could be technically and economically infeasible for wireless providers to implement, particularly for smaller providers. See supra para. 23. We emphasize that the record shows that many wireless providers already have in place some of the policies and procedures we adopt today and that our rules may therefore only require them to adapt, refine, or consistently apply those existing practices. See supra paras. 20, 23, 37, 42, 57, 60, 64, 67, 70. Additionally, by setting baseline requirements and giving wireless providers flexibility on how to meet them, we allow providers to adopt the most cost-effective and least burdensome solutions to achieve the level of security needed to protect customers against SIM swap and port-out fraud in a given circumstance. See supra para. 23. We have further minimized the potential burdens of customer notifications by declining to prescribe particular content and wording and giving wireless providers flexibility on how to deliver such notifications. See sections III.A.3& III.B.2. Similarly, for customer notices, we declined to require a specific format and content, and we declined to require such notices be delivered to customers annually. See supra section III.C.. Further, we mitigated potential burdens of the recordkeeping requirement by declining to require that wireless providers include historic data in their recordkeeping, which we acknowledged would be particularly burdensome for small providers, and declining to require that providers report this data to the Commission regularly. See supra section III.A.5. 111. The Further Notice of Proposed Rulemaking may contain new or modified information collection(s) subject to the Paperwork Reduction Act of 1995. Pub. L. No. 104-13. All such new or modified information collection requirements will be submitted to OMB for review under section 3507(d) of the PRA. OMB, the general public, and other federal agencies are invited to comment on any new or modified information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Pub. L. No. 107-198. we seek specific comment on how we might “further reduce the information collection burden for small business concerns with fewer than 25 employees.” 44 U.S.C. § 3506(c)(4). 112. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA) 5 U.S.C. § 603. The RFA, 5 U.S.C. § 601 et seq., has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.” 5 U.S.C. § 605(b). Accordingly, the Commission has prepared a Final Regulatory Flexibility Analysis (FRFA) concerning the potential impact of the rule and policy changes adopted in this Report and Order on small entities. The FRFA is set forth in Appendix B. 113. We have also prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning the potential impact of rule and policy change proposals in the Further Notice on small entities. The IRFA is set forth in Appendix C. Written public comments are requested on the IRFA. Comments must be filed by the deadlines for comments on the Further Notice indicated on the first page of this document and must have a separate and distinct heading designating them as responses to the IRFA. 114. Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is “non-major” under the Congressional Review Act, 5 U.S.C. § 804(2). The Commission will send a copy of this Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). 115. Ex Parte Presentations. The proceeding shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must: (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. 116. Comment Period and Filing Procedures. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS) or by paper. Commenters should refer to WC Docket No. 21-341 when filing in response to this Further Notice. · Electronic Filers: Comments may be filed electronically by accessing ECFS at https://www.fcc.gov/ecfs. · Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. Paper filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. · Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, DA 20-304, Public Notice, 35 FCC Rcd 2788 (2020), https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy. · Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. · U.S. Postal Service first-class, Express, and Priority Mail must be addressed to 45 L Street NE, Washington, D.C. 20554. 117. Providing Accountability Through Transparency Act. The Providing Accountability Through Transparency Act requires each agency, in providing notice of a rulemaking, to post online a brief plain-language summary of the proposed rule. 5 U.S.C. § 553(b)(4).  The Providing Accountability Through Transparency Act, Pub. L. No. 118-9 (2023), amended section 553(b) of the Administrative Procedure Act.   Accordingly, the Commission will publish the required summary of this Further Notice of Proposed Rulemaking on https://www.fcc.gov/proposed-rulemakings. 118. People with Disabilities. To request materials in accessible formats for people with disabilities (Braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the FCC’s Consumer and Governmental Affairs Bureau at (202) 418-0530 (voice). 119. Additional Information. For additional information on this proceeding, contact Melissa Kirkel, Wireline Competition Bureau, Competition Policy Division, at 202-418-7958 or melissa.kirkel@fcc.gov. VI. ORDERING CLAUSES 120. Accordingly, IT IS ORDERED that, pursuant to the authority contained in sections 1, 2, 4, 201, 222, 251, 303, and 332 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 152, 154, 201, 222, 251, 303, and 332, this Report and Order in WC Docket No. 21-341 IS ADOPTED and that Parts 52 and 64 of the Commission’s Rules, 47 CFR Parts 52, 64, are AMENDED as set forth in Appendix A. 121. IT IS FURTHER ORDERED that this Report and Order SHALL BE EFFECTIVE 30 days after publication in the Federal Register, and that compliance with the rules adopted herein shall be required six months after the effective date of the Report and Order, except that the amendments to sections 52.37(c), 52.37(d), 52.37(e), 52.37(g), 64.2010(h)(2), 64.2010(h)(3), 64.2010(h)(4), 64.2010(h)(5), 64.2010(h)(6), and 64.2010(h)(8) of the Commission’s rules, 47 CFR §§ 52.37(c), 52.37(d), 52.37(e), 52.37(g), 64.2010(h)(2), 64.2010(h)(3), 64.2010(h)(4), 64.2010(h)(5), 64.2010(h)(6), and 64.2010(h)(8), which may contain new or modified information collection requirements, will not become effective until the later of i) six months after the effective date of this Report and Order; or ii) after the Office of Management and Budget completes review of any information collection requirements associated with this Report and Order that the Wireline Competition Bureau determines is required under the Paperwork Reduction Act. The Commission directs the Wireline Competition Bureau to announce the compliance date for sections 52.37(c), 52.37(d), 52.37(e), 52.37(g), 64.2010(h)(2), 64.2010(h)(3), 64.2010(h)(4), 64.2010(h)(5), 64.2010(h)(6), and 64.2010(h)(8) by subsequent Public Notice and to cause 47 CFR § 52.37 and § 64.2010 to be revised accordingly. 122. IT IS FURTHER ORDERED that pursuant to the authority contained in sections 1, 2, 4, 201, 222, 251, 303, and 332 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 152, 154, 201, 222, 251, 303, and 332, this Further Notice of Proposed Rulemaking in WC Docket No. 21-341 IS ADOPTED. 123. IT IS FURTHER ORDERED that the Commission’s Office of the Secretary, Reference Information Center, SHALL SEND a copy of this Report and Order and Further Notice of Proposed Rulemaking, including the Final Regulatory Flexibility Analysis and Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. 124. IT IS FURTHER ORDERED that the Office of the Managing Director, Performance and Program Management, SHALL SEND a copy of this Report and Order in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. § 801(a)(1)(A). FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 APPENDIX A Final Rules The Federal Communications Commission amends Parts 52 and 64 of Title 47 of the Code of Federal Regulations as follows: PART 52 – NUMBERING 1. The authority citation for part 52 continues to read as follows: Authority: 47 U.S.C. 151, 152, 153, 154, 155, 201-205, 207-209, 218, 225-227, 251-252, 271, 303, 332, unless otherwise noted. 2. Add § 52.37 to subpart C to read as follows: § 52.37 Number Portability Requirements for Wireless Providers (a) Applicability. This section applies to all providers of commercial mobile radio service (CMRS), as defined in 47 CFR § 20.3, including resellers of wireless service. (b) Authentication of port-out requests. A CMRS provider shall use secure methods to authenticate a customer that are reasonably designed to confirm the customer’s identity before effectuating a port-out request, except to the extent otherwise required by 47 U.S.C. § 345 (Safe Connections Act of 2022) or Part 64 Subpart II of this chapter. A CMRS provider shall regularly, but not less than annually, review and, as necessary, update its customer authentication methods to ensure that its authentication methods continue to be secure. (c) Customer notification of port-out requests. Upon receiving a port-out request, and before effectuating the request, a CMRS provider shall provide immediate notification to the customer that a port-out request associated with the customer’s account was made, sent in accordance with customer preferences, if indicated, and using means reasonably designed to reach the customer associated with the account and clear and concise language that provides sufficient information to effectively inform a customer that a port-out request involving the customer’s number was made, except if the port-out request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of this chapter, regardless of whether the line separation is technically or operationally feasible. (d) Account locks. A CMRS provider shall offer customers, at no cost, the option to lock their accounts to prohibit the CMRS provider from processing requests to port the customer’s number. A CMRS provider shall not fulfill a port-out request until the customer deactivates the lock on the account, except if the port-out request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of this chapter, regardless of whether the line separation is technically or operationally feasible. The process to activate and deactivate an account lock must not be unduly burdensome for customers such that it effectively inhibits customers from implementing their choice. A CMRS provider may activate a port-out lock on a customer’s account when the CMRS provider has a reasonable belief that the customer is at high risk of fraud, but must provide the customer with clear notification that the account lock has been activated with instructions on how the customer can deactivate the account lock, and promptly comply with the customer’s legitimate request to deactivate the account lock. (e) Notice of Account Protection Measures. A CMRS provider must provide customers with notice, using clear and concise language, of any account protection measures the CMRS provider offers, including those to prevent port-out fraud. A CMRS provider shall make this notice easily accessible through the CMRS provider’s website and application. (f) Employee Training. A CMRS provider shall develop and implement training for employees to specifically address fraudulent port-out attempts, complaints, and remediation. Training shall include, at a minimum, how to identify fraudulent requests, how to recognize when a customer may be the victim of fraud, and how to direct potential victims and individuals making potentially fraudulent requests to employees specifically trained to handle such incidents. (g) Procedures to resolve fraudulent ports. A CMRS provider shall, at no cost to customers: (1) maintain a clearly disclosed, transparent, and easy-to-use process for customers to report fraudulent number ports; (2) promptly investigate and take reasonable steps within its control to remediate fraudulent number ports; and (3) promptly provide customers, upon request, with documentation of fraudulent number ports involving their accounts. (h) This section may contain information-collection and/or recordkeeping requirements. Compliance with this section will not be required until this paragraph is removed or contains a compliance date, which will not occur until the later of: i) [INSERT DATE SIX MONTHS AFTER THE EFFECTIVE DATE OF THIS REPORT AND ORDER]; or ii) after the Office of Management and Budget completes review of any information collection requirements in this section that the Wireline Competition Bureau determines is required under the Paperwork Reduction Act or the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for this section by subsequent Public Notice and to cause this section to be revised accordingly. PART 64 – MISCELLANEOUS RULES RELATING TO COMMON CARRIERS 3. The authority citation for part 64 continues to read as follows: Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276, 303, 332, 403(b)(2)(B), (c), 616, 620, 1004, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091. 4. Amend § 64.2010 by adding paragraph (h) to read as follows: § 64.2010 Safeguards on the disclosure of customer proprietary network information. * * * * * (h) Subscriber Identity Module (SIM) changes. A provider of commercial mobile radio service (CMRS), as defined in 47 CFR § 20.3, including resellers of wireless service, shall only effectuate SIM change requests in accordance with this section. For purposes of this section, SIM means a physical or virtual card associated with a device that stores unique information that can be identified to a specific mobile network. (1) Customer authentication. A CMRS provider shall use secure methods to authenticate a customer that are reasonably designed to confirm the customer’s identity before executing a SIM change request, except to the extent otherwise required by 47 U.S.C. § 345 (Safe Connections Act of 2022) or Part 64, Subpart II of this chapter. Authentication methods shall not rely on readily available biographical information, account information, recent payment information, or call detail information unless otherwise permitted under 47 U.S.C. § 345 or Part 64, Subpart II of this chapter. A CMRS provider shall regularly, but not less than annually, review and, as necessary, update its customer authentication methods to ensure that its authentication methods continue to be secure. A CMRS provider shall establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI in the course of that customer interaction until after the customer has been properly authenticated. (2) Response to failed authentication attempts. A CMRS provider shall develop, maintain, and implement procedures for addressing failed authentication attempts in connection with a SIM change request that are reasonably designed to prevent unauthorized access to a customer’s account, which, among other things, take into consideration the needs of survivors pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of this chapter. (3) Customer notification of SIM change requests. Upon receiving a SIM change request, and before effectuating the request, a CMRS provider shall provide immediate notification to the customer that a SIM change request associated with the customer’s account was made, sent in accordance with customer preferences, if indicated, and using means reasonably designed to reach the customer associated with the account and clear and concise language that provides sufficient information to effectively inform a customer that a SIM change request involving the customer’s SIM was made, except if the SIM change request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of this chapter, regardless of whether the line separation is technically or operationally feasible. (4) Account locks. A CMRS provider shall offer customers, at no cost, the option to lock their accounts to prohibit the CMRS provider from processing requests to change the customer’s SIM. A CMRS provider shall not fulfill a SIM change request until the customer deactivates the lock on the account, except if the SIM change request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of this chapter, regardless of whether the line separation is technically or operationally feasible. The process to activate and deactivate an account lock must not be unduly burdensome for customers such that it effectively inhibits customers from implementing their choice. A CMRS provider may activate a SIM change lock on a customer’s account when the CMRS provider has a reasonable belief that the customer is at high risk of fraud, but must provide the customer with clear notification that the account lock has been activated with instructions on how the customer can deactivate the account lock, and promptly comply with the customer’s legitimate request to deactivate the account lock. (5) Notice of account protection measures. A CMRS provider must provide customers with notice, using clear and concise language, of any account protection measures the CMRS provider offers, including those to prevent SIM swap fraud. A CMRS provider shall make this notice easily-accessible through the CMRS provider’s website and application. (6) Procedures to resolve fraudulent SIM changes. A CMRS provider shall, at no cost to customers: (i) maintain a clearly disclosed, transparent, and easy-to-use process for customers to report fraudulent SIM changes; (ii) promptly investigate and take reasonable steps within its control to remediate fraudulent SIM changes; and (iii) promptly provide customers, upon request, with documentation of fraudulent SIM changes involving their accounts. (7) Employee training. A CMRS provider shall develop and implement training for employees to specifically address fraudulent SIM change attempts, complaints, and remediation. Training shall include, at a minimum, how to identify potentially fraudulent SIM change requests, how to identify when a customer may be the victim of SIM swap fraud, and how to direct potential victims and individuals making potentially fraudulent requests to employees specifically trained to handle such incidents. (8) SIM change recordkeeping. A CMRS provider shall establish processes to reasonably track, and maintain for a minimum of three years, the total number of SIM change requests it received, the number of successful SIM change requests, the number of failed SIM change requests, the number of successful fraudulent SIM change requests, the average time to remediate a fraudulent SIM change, the total number of complaints received regarding fraudulent SIM change requests, the authentication measures the CMRS provider has implemented, and when those authentication measures change. A CMRS provider shall provide such data and information to the Commission upon request. (9) Compliance. Paragraph (h) may contain information-collection and/or recordkeeping requirements. Compliance with paragraph (h) will not be required until this subparagraph is removed or contains a compliance date, which will not occur until the later of: i) [INSERT DATE SIX MONTHS AFTER THE EFFECTIVE DATE OF THIS REPORT AND ORDER]; or ii) after the Office of Management and Budget completes review of any information collection requirements in paragraph (h) that the Wireline Competition Bureau determines is required under the Paperwork Reduction Act or the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for this paragraph (h) by subsequent Public Notice and to cause this paragraph to be revised accordingly. APPENDIX B Final Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the Protecting Consumers from SIM Swap and Port-Out Fraud Notice of Proposed Rulemaking (SIM Swap and Port-Out Fraud Notice) released in September 2021. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14152-14161, para. 6., Appx. B. The Commission sought written public comment on the proposals in the SIM Swap and Port-Out Fraud Notice, including comment on the IRFA. The comments received are discussed below. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA. 5 U.S.C. § 604. A. Need for, and Objectives of, the Report and Order 2. The Report and Order establishes protections to address SIM swap and port-out fraud. With SIM swap fraud, a bad actor impersonates a customer of a wireless provider and convinces the provider to reassign the customer’s SIM from the customer’s device to a device controlled by the bad actor. Similarly, with port-out fraud, the bad actor impersonates a customer of a wireless provider and convinces the provider to port the customer’s telephone number to a new wireless provider and a device that the bad actor controls. FCC, Port-Out Fraud Targets Your Private Accounts, https://www.fcc.gov/port-out-fraud-targets-your-private-accounts (last updated July 10, 2023). Both fraudulent practices transfer the victim’s wireless service to the bad actor, allow the bad actor to gain access to information associated with the customer’s account, and permit the bad actor to receive the text messages and phone calls intended for the customer. 3. The rules adopted in the Report and Order aim to foreclose these fraudulent practices while preserving the relative ease with which customers can obtain legitimate SIM changes and number ports. Specifically, the Report and Order revises the Commission’s CPNI and LNP rules to require that wireless providers use secure methods of authenticating customers prior to performing SIM changes and number ports. This requirement is reinforced by other rules, including that wireless providers adopt processes for responding to failed authentication attempts, institute employee training for handling SIM swap and port-out fraud, and establish safeguards to prevent employees who receive inbound customer communications are unable to access CPNI in the course of that customer interaction until after customers have been authenticated. The Report and Order also adopts rules that will enable customers to act to prevent and address fraudulent SIM changes and number ports, including requiring that wireless providers notify customers regarding SIM change and port-out requests, offer customers the option to lock their accounts to block processing of SIM changes and number ports, and give advanced notice of available account protection mechanisms. Additionally, the Report and Order establishes requirements to minimize the harms of SIM swap and port-out fraud when it occurs, including requiring wireless providers to maintain a clear process for customers to report fraud, promptly investigate and remediate fraud, and promptly provide customers with documentation of fraud involving their accounts. Finally, to ensure wireless providers track the effectiveness of authentication measures used for SIM change requests, the Report and Order requires that providers keep records of SIM change requests and the authentication measures they use. B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA 4. There were no comments that directly addressed the proposed rules and policies presented in the SIM Swap and Port-Out Fraud Notice IRFA. However two commenters discussed the potential impact of rules on small carriers. The Competitive Carriers Association (CCA) advocated that the Commission adopt security measures that give providers flexibility to account for the constraints with which many small providers operate. See CCA Comments at 6. The Rural Wireless Association (RWA) called for uniform standards for port-out authentication to prevent potential anticompetitive activities and increased costs for small providers in the event that larger providers hold small providers to standards that are difficult or costly to implement. See RWA Comments at 12-14. The approach taken by the Report and Order addresses these comments by setting baseline requirements that build on existing mechanisms that many wireless providers already use to establish a uniform framework across the mobile wireless industry, while giving wireless providers the flexibility to deliver the most advanced, appropriate, and cost-effective fraud protection measures available. C. Response to Comments by the Chief Counsel for Advocacy of the Small Business Administration 5. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments. 5 U.S.C. § 604(a)(3). The Chief Counsel did not file any comments in response to the proposed rules in this proceeding. D. Description and Estimate of the Number of Small Entities to Which the Rules Will Apply 6. The RFA directs agencies to provide a description of, and where feasible, an estimate of the number of small entities that may be affected by the rules adopted herein. Id. § 604 (a)(4). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” Id. § 601(6). In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. Id. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. 15 U.S.C. § 632. 7. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe, at the outset, three broad groups of small entities that could be directly affected herein. See 5 U.S.C. § 601(3)-(6). First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. SBA, Office of Advocacy, “What’s New With Small Business?,” https://advocacy.sba.gov/wp-content/uploads/2023/03/Whats-New-Infographic-March-2023-508c.pdf (Mar. 2023). These types of small businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million businesses. Id. 8. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” See 5 U.S.C. § 601(4). The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number of small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations – Form 990-N (e-Postcard), “Who must file,” https://www.irs.gov/charities-non-profits/annual-electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. See Exempt Organizations Business Master File Extract (EO BMF), “CSV Files by Region,” https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax-exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000 for Region 1-Northeast Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast Areas (213,840) that includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 9. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” 5 U.S.C. § 601(5). U.S. Census Bureau data from the 2017 Census of Governments 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs-surveys/cog/about.html. indicate there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also tbl.2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. Of this number, there were 36,931 general purpose governments (county, Id. at tbl.5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. municipal, and town or township Id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. ) with populations of less than 50,000 and 12,040 special purpose governments—independent school districts Id. at tbl.10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also tbl.4. Special-Purpose Local Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. with enrollment populations of less than 50,000. While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.” This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations tbls.5, 6 & 10. 1. Providers of Telecommunications and Other Services 10. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband Internet services. Id. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Id. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. Fixed Local Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, and Other Local Service Providers. Local Resellers fall into another U.S. Census Bureau industry group and therefore data for these providers is not included in this industry. 11. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were engaged in the provision of fixed local services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. https://docs.fcc.gov/public/attachments/DOC-379181A1.pdf Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 12. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include both incumbent and competitive local exchange service providers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. Fixed Local Exchange Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were fixed local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 13. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the SBA have developed a small business size standard specifically for incumbent local exchange carriers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. Id. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 1,212 providers that reported they were incumbent local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 916 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, the Commission estimates that the majority of incumbent local exchange carriers can be considered small entities. 14. Competitive Local Exchange Carriers (Competitive LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include several types of competitive local exchange service providers. Competitive Local Exchange Service Providers include the following types of providers: Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 3,378 providers that reported they were competitive local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 3,230 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 15. Interexchange Carriers (IXCs). Neither the Commission nor the SBA have developed a small business size standard specifically for Interexchange Carriers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. Id. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 127 providers that reported they were engaged in the provision of interexchange services. Of these providers, the Commission estimates that 109 providers have 1,500 or fewer employees. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Consequently, using the SBA’s small business size standard, the Commission estimates that the majority of providers in this industry can be considered small entities. 16. Local Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Id. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 207 providers that reported they were engaged in the provision of local resale services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 202 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 17. Toll Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Toll Resellers. Telecommunications Resellers See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 457 providers that reported they were engaged in the provision of toll services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. https://docs.fcc.gov/public/attachments/DOC-379181A1.pdf Of these providers, the Commission estimates that 438 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 18. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless Internet access, and wireless video services. Id. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 594 providers that reported they were engaged in the provision of wireless services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 511 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 19. Satellite Telecommunications. This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” See U.S. Census Bureau, 2017 NAICS Definition, “517410 Satellite Telecommunications,” https://www.census.gov/naics/?input=517410&year=2017&details=517410. Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $38.5 million or less in annual receipts as small. 13 CFR § 121.201, NAICS Code 517410. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517410, https://data.census.gov/cedsci/table?y=2017&n=517410&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number, 242 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 65 providers that reported they were engaged in the provision of satellite telecommunications services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that approximately 42 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, a little more than half of these providers can be considered small entities. 20. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Providers of Internet services (e.g. dial-up ISPs) or Voice over Internet Protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. Id. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small. 2. Internet Service Providers 21. Wired Broadband Internet Access Service Providers (Wired ISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wired Telecommunications Carriers and All Other Telecommunications small entity industry descriptions. Providers of wired broadband Internet access service include various types of providers except dial-up Internet access providers. Wireline service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. 47 CFR § 1.7001(a)(1). Wired broadband Internet services fall in the Wired Telecommunications Carriers industry. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. The SBA small business size standard for this industry classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 22. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 2,700 providers of connections over 200 kbps in at least one direction using various wireline technologies. IAS Status 2018, Fig. 30 (The technologies used by providers include aDSL, sDSL, Other Wireline, Cable Modem and FTTP). Other wireline includes: all copper-wire based technologies other than xDSL (such as Ethernet over copper, T-1/DS-1 and T3/DS-1) as well as power line technologies which are included in this category to maintain the confidentiality of the providers. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, in light of the general data on fixed technology service providers in the Commission’s 2022 Communications Marketplace Report, See Communications Marketplace Report, GN Docket No. 22-203, 2022 WL 18110553 at 10, paras. 26-27, Figs. II.A.5-7. (2022) (2022 Communications Marketplace Report). we believe that the majority of wireline Internet access service providers can be considered small entities. 23. Wireless Broadband Internet Access Service Providers (Wireless ISPs or WISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wireless Telecommunications Carriers (except Satellite) and All Other Telecommunications small entity industry descriptions. Providers of wireless broadband Internet access service include fixed and mobile wireless providers. The Commission defines a WISP as “[a] company that provides end-users with wireless access to the Internet[.]” Federal Communications Commission, Internet Access Services: Status as of December 31, 2018 (IAS Status 2018), Industry Analysis Division, Office of Economics & Analytics (September 2020). The report can be accessed at https://www.fcc.gov/economics-analytics/industry-analysis-division/iad-data-statistical-reports. Wireless service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. See 47 CFR § 1.7001(a)(1). Neither the SBA nor the Commission have developed a size standard specifically applicable to Wireless Broadband Internet Access Service Providers. The closest applicable industry with an SBA small business size standard is Wireless Telecommunications Carriers (except Satellite). See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 24. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 1,209 fixed wireless and 71 mobile wireless providers of connections over 200 kbps in at least one direction. See IAS Status 2018, Fig. 30. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, based on data in the Commission’s 2022 Communications Marketplace Report on the small number of large mobile wireless nationwide and regional facilities-based providers, the dozens of small regional facilities-based providers and the number of wireless mobile virtual network providers in general, 2022 Communications Marketplace Report , 2022 WL 18110553 at 27, paras. 64-68. as well as on terrestrial fixed wireless broadband providers in general, Id. at 8, para. 22. we believe that the majority of wireless Internet access service providers can be considered small entities. 25. Internet Service Providers (Non-Broadband). Internet access service providers using client-supplied telecommunications connections (e.g., dial-up ISPs) as well as VoIP service providers using client-supplied telecommunications connections fall in the industry classification of All Other Telecommunications. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). For this industry, U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Consequently, under the SBA size standard a majority of firms in this industry can be considered small. E. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 26. This Report and Order adopts rules that could result in increased, reduced, or otherwise modified recordkeeping, reporting, or other compliance requirements for affected providers of service, including small wireless providers. Specifically, it requires that wireless providers use secure methods of authenticating customers prior to performing SIM changes and number ports, and to review and update these authentication methods as needed, but at least annually. It requires wireless providers to adopt processes for customer notification and response to failed authentication attempts, institute employee training for handling SIM swap and port-out fraud, and establish safeguards to prevent employees who receive inbound customer communications from accessing CPNI in the course of that customer interaction until after customers have been authenticated. The Report and Order also adopts rules requiring that wireless providers notify customers regarding SIM change and port-out requests, offer customers the option to lock their accounts to block processing of SIM changes and number ports, and give advanced notice of available account protection mechanisms. Additionally, the Report and Order requires wireless providers to maintain a clear process for customers to report fraud, promptly investigate and remediate fraud, and promptly provide customers with documentation of fraud involving their accounts. Finally, the Report and Order requires that providers keep records of SIM change requests and the authentication measures they use. 27. We are cognizant that, in some instances, strict prescriptive requirements to prevent SIM swap and port-out fraud could be technically and economically infeasible for wireless providers to implement, particularly for smaller providers. The Commission does not have sufficient information on the record to determine whether small entities will be required to hire professionals to comply with its decisions or to quantify the cost of compliance for small entities. However, the record reflects that many wireless providers have already developed and implemented some form of the customer authentication requirements in the Report and Order, minimizing cost implications for small entities. We also permit wireless providers to use existing methods of notification that are reasonably designed to reach the affected customer. Several of our rules build on existing mechanisms that many wireless providers already use, and therefore, we expect that our new rules will further minimize the costs and burdens for those providers, and should significantly reduce compliance requirements for small entities that may have smaller staff and fewer resources. F. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 28. The RFA requires an agency to provide “a description of the steps the agency has taken to minimize the significant economic impact on small entities . . .including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each one of the other significant alternatives to the rule considered by the agency which affect the impact on small entities was rejected.” 5 U.S.C. § 604(a)(6). 29. The requirements established in this Report and Order are designed to minimize the economic impact on wireless providers, including small providers. The baseline, flexible rules adopted reflect a recognition that, in some cases, strict prescriptive requirements to prevent SIM swap and port-out fraud could be technically and economically infeasible for wireless providers to implement, particularly for smaller providers. We therefore decline to adopt certain specific authentication methods mentioned in the SIM Swap and Port-Out Fraud Notice because they may discourage carriers from adopting new methods to address evolving techniques used by bad actors. The record shows that many wireless providers already have in place some of the policies and procedures this Report and Order adopts and that the rules may therefore only require them to adapt, refine, or consistently apply those existing practices. Additionally, by setting baseline requirements and giving wireless providers flexibility on how to meet them, this Report and Order allows providers to adopt the most cost-effective and least burdensome solutions to achieve the level of security needed to protect customers against SIM swap and port-out fraud in a given circumstance. The Report and Order further minimizes any potential burdens of customer notifications by declining to prescribe particular content and wording and giving wireless providers flexibility on how to deliver such notifications. Similarly, for customer notices, the Report and Order declines to require a specific format and content and declines to require such notices be delivered to customers annually. With respect to employee training, we decline to adopt overly prescriptive safeguards, such as two-employee sign off. Instead, the requirement this Report and Order adopts minimizes potential burdens because it builds on the Commission’s existing CPNI training rule and gives wireless providers flexibility on how to develop their training programs. Further, the Report and Order mitigates the potential burdens of the recordkeeping requirement by declining to require that wireless providers include historic data in their recordkeeping, which the Report and Order acknowledged would be particularly burdensome for small providers, and declining to require that providers report this data to the Commission regularly. G. Report to Congress 30. The Commission will send a copy of the SIM Swap and Port-Out Fraud Report and Order, including this FRFA, in a report to be sent to Congress pursuant to the Congressional Review Act. Id. § 801(a)(1)(A). In addition, the Commission will send a copy of the SIM Swap and Port-Out Fraud Report and Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the SIM Swap and Port-Out Fraud Report and Order (or summaries thereof) will also be published in the Federal Register. Id. § 604(b). APPENDIX C Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities by the policies and rules proposed in the Protecting Consumers from SIM Swap and Port-Out Fraud Further Notice of Proposed Rulemaking (Further Notice). Written comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments on the Further Notice provided on the first page of the item. The Commission will send a copy of the Further Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). 5 U.S.C. § 603(a). In addition, the Further Notice and IRFA (or summaries thereof) will be published in the Federal Register. Id. A. Need for, and Objectives of, the Proposed Rules 2. In the SIM Swap and Port-Out Fraud Report and Order (Report and Order), the Commission adopts rules to address fraudulent practices that transfer a customer’s wireless service to a bad actor, allowing the bad actor to gain access to information associated with the customer’s account, and permitting the bad actor to receive the text messages and phone calls intended for the customer.. Specifically, the Report and Order revises the Commission’s Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The Report and Order also requires wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts, and take additional steps to protect customers from SIM swap and port-out fraud. This approach sets baseline requirements that establish a uniform framework across the mobile wireless industry while giving wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available. 3. In this Further Notice, we seek comment on whether to harmonize the existing requirements governing customer access to CPNI See 47 CFR § 64.2010. with the SIM change authentication and protection measures adopted in the Report and Order. This Further Notice expands on questions asked in the SIM Swap and Port-Out Fraud Notice and several comments in the record, but seeks more targeted feedback on a specific approach. The Further Notice explores whether justifications identified by commenters in the record, or any other justifications, provide a rationale for harmonizing the existing CPNI rules with the customer protection measures adopted in the Report and Order, as well as any reasons why the Commission should not harmonize its existing CPNI rules with the SIM swap fraud protection measures adopted in the Report and Order. 4. Recognizing that there may be other efforts within the government to tackle SIM swap and port-out fraud to address the broader implications of these harmful practices, the Further Notice also seeks comment on information about those other efforts and what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. The Further Notice also seeks comment on whether to require wireless providers to immediately notify customers in the event of a failed authentication attempt, except to the extent otherwise required by the Safe Connections Act of 2022 (47 U.S.C. § 345) or the Commission’s rules implementing that statute, or whether to permit carriers to employ reasonable risk assessment techniques to determine when a failed authentication attempt requires customer notification, or require notification only in instances of multiple failed attempts or when there is reasonable suspicion of fraud. B. Legal Basis 5. The proposed action is authorized pursuant to sections 1, 4, 201, 222, 251, 303(r), and 332 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154, 201, 222, 251, 303(r), and 332. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 6. The RFA directs agencies to provide a description of, and where feasible, an estimate of the number of small entities that may be affected by the proposed rules, if adopted. 5 U.S.C. § 603(b)(3). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” Id. § 601(6). In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. Id. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. 15 U.S.C. § 632. 7. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe, at the outset, three broad groups of small entities that could be directly affected herein. 5 U.S.C. § 601(3)-(6). First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. SBA, Office of Advocacy, “What’s New With Small Business?,” https://advocacy.sba.gov/wp-content/uploads/2023/03/Whats-New-Infographic-March-2023-508c.pdf. (Mar. 2023). These types of small businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million businesses. Id. 8. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” 5 U.S.C. § 601(4). The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number of small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations – Form 990-N (e-Postcard), “Who must file,” https://www.irs.gov/charities-non-profits/annual-electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. See Exempt Organizations Business Master File Extract (EO BMF), “CSV Files by Region,” https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax-exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000 for Region 1-Northeast Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast Areas (213,840) that includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 9. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” 5 U.S.C. § 601(5). U.S. Census Bureau data from the 2017 Census of Governments 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs-surveys/cog/about.html. indicate there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also tbl.2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. Of this number, there were 36,931 general purpose governments (county, Id. at tbl.5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. municipal, and town or township Id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. ) with populations of less than 50,000 and 12,040 special purpose governments—independent school districts Id. at tbl.10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also tbl.4. Special-Purpose Local Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. with enrollment populations of less than 50,000. While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.” This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations tbls.5, 6 & 10. 1. Providers of Telecommunications and Other Services 10. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband Internet services. Id. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Id. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. Fixed Local Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, and Other Local Service Providers. Local Resellers fall into another U.S. Census Bureau industry group and therefore data for these providers is not included in this industry. 11. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were engaged in the provision of fixed local services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. https://docs.fcc.gov/public/attachments/DOC-379181A1.pdf Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 12. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include both incumbent and competitive local exchange service providers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. Fixed Local Exchange Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VoIP Providers, Non-Interconnected VoIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. Id. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were fixed local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 13. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the SBA have developed a small business size standard specifically for incumbent local exchange carriers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. See 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. Id. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 1,212 providers that reported they were incumbent local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 916 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, the Commission estimates that the majority of incumbent local exchange carriers can be considered small entities. 14. Competitive Local Exchange Carriers (Competitive LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include several types of competitive local exchange service providers. Competitive Local Exchange Service Providers include the following types of providers: Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 3,378 providers that reported they were competitive local exchange service providers. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 3,230 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 15. Interexchange Carriers (IXCs). Neither the Commission nor the SBA have developed a small business size standard specifically for Interexchange Carriers. Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. is the closest industry with an SBA small business size standard. See 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. Id. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 127 providers that reported they were engaged in the provision of interexchange services. Of these providers, the Commission estimates that 109 providers have 1,500 or fewer employees. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Consequently, using the SBA’s small business size standard, the Commission estimates that the majority of providers in this industry can be considered small entities. 16. Local Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Id. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 207 providers that reported they were engaged in the provision of local resale services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 202 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 17. Toll Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Toll Resellers. Telecommunications Resellers See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 457 providers that reported they were engaged in the provision of toll services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. https://docs.fcc.gov/public/attachments/DOC-379181A1.pdf Of these providers, the Commission estimates that 438 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 18. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless Internet access, and wireless video services. Id. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 594 providers that reported they were engaged in the provision of wireless services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 511 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 19. Wireless Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Wireless Resellers. The closest industry with an SBA small business size standard is Telecommunications Resellers. See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Id. Establishments in this industry resell telecommunications and they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. Under the SBA size standard for this industry, a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services during that year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, for this industry under the SBA small business size standard, the majority of providers can be considered small entities. 20. Satellite Telecommunications. This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” See U.S. Census Bureau, 2017 NAICS Definition, “517410 Satellite Telecommunications,” https://www.census.gov/naics/?input=517410&year=2017&details=517410. Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $38.5 million or less in annual receipts as small. 13 CFR § 121.201, NAICS Code 517410. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517410, https://data.census.gov/cedsci/table?y=2017&n=517410&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number, 242 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 65 providers that reported they were engaged in the provision of satellite telecommunications services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that approximately 42 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, a little more than half of these providers can be considered small entities. 21. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Providers of Internet services (e.g. dial-up ISPs) or Voice over Internet Protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. Id. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small. 2. Internet Service Providers 22. Wired Broadband Internet Access Service Providers (Wired ISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wired Telecommunications Carriers and All Other Telecommunications small entity industry descriptions. Providers of wired broadband Internet access service include various types of providers except dial-up Internet access providers. Wireline service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. 47 CFR § 1.7001(a)(1). Wired broadband Internet services fall in the Wired Telecommunications Carriers industry. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. The SBA small business size standard for this industry classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 23. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 2,700 providers of connections over 200 kbps in at least one direction using various wireline technologies. See IAS Status 2018, Fig. 30 (The technologies used by providers include aDSL, sDSL, Other Wireline, Cable Modem and FTTP). Other wireline includes: all copper-wire based technologies other than xDSL (such as Ethernet over copper, T-1/DS-1 and T3/DS-1) as well as power line technologies which are included in this category to maintain the confidentiality of the providers. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, in light of the general data on fixed technology service providers in the Commission’s 2022 Communications Marketplace Report, Communications Marketplace Report, GN Docket No. 22-203, 2022 WL 18110553 at 10, paras. 26-27, Figs. II.A.5-7. (2022) (2022 Communications Marketplace Report). we believe that the majority of wireline Internet access service providers can be considered small entities. 24. Wireless Broadband Internet Access Service Providers (Wireless ISPs or WISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wireless Telecommunications Carriers (except Satellite) and All Other Telecommunications small entity industry descriptions. Providers of wireless broadband Internet access service include fixed and mobile wireless providers. The Commission defines a WISP as “[a] company that provides end-users with wireless access to the Internet[.]” Federal Communications Commission, Internet Access Services: Status as of December 31, 2018 (IAS Status 2018), Industry Analysis Division, Office of Economics & Analytics (September 2020). The report can be accessed at https://www.fcc.gov/economics-analytics/industry-analysis-division/iad-data-statistical-reports. Wireless service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. 47 CFR § 1.7001(a)(1). Neither the SBA nor the Commission have developed a size standard specifically applicable to Wireless Broadband Internet Access Service Providers. The closest applicable industry with an SBA small business size standard is Wireless Telecommunications Carriers (except Satellite). See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 25. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 1,209 fixed wireless and 71 mobile wireless providers of connections over 200 kbps in at least one direction. See IAS Status 2018, Fig. 30. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, based on data in the Commission’s 2022 Communications Marketplace Report on the small number of large mobile wireless nationwide and regional facilities-based providers, the dozens of small regional facilities-based providers and the number of wireless mobile virtual network providers in general, 2022 Communications Marketplace Report, 2022 WL 18110553 at 27, paras. 64-68. as well as on terrestrial fixed wireless broadband providers in general, Id. at 8, para. 22. we believe that the majority of wireless Internet access service providers can be considered small entities. 26. Internet Service Providers (Non-Broadband). Internet access service providers using client-supplied telecommunications connections (e.g., dial-up ISPs) as well as VoIP service providers using client-supplied telecommunications connections fall in the industry classification of All Other Telecommunications. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). For this industry, U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Consequently, under the SBA size standard a majority of firms in this industry can be considered small. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 27. In this Further Notice, we seek comment on whether to harmonize the existing requirements governing customer access to CPNI 47 CFR § 64.2010. with the SIM change authentication and protection measures adopted in the Report and Order, and if so, the extent to which the rules should be harmonized. We tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers, including small carriers. Recognizing that there may be other efforts within the government to tackle SIM swap and port-out fraud to address the broader implications of these harmful practices, the Further Notice also seeks comment on information about those other efforts and what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. 28. Should the Commission decide to modify existing rules or adopt new rules to harmonize its existing CPNI rules with rules to protect customers from SIM swap fraud, such action could potentially result in increased, reduced, or otherwise modified recordkeeping, reporting, or other compliance requirements for affected providers of service. Likewise, should the Commission decide to adopt rules requiring notification of a failed authentication attempt, such action could potentially result in increased, reduced, or otherwise modified recordkeeping, reporting, or other compliance requirements. We seek comment on the effect of any proposals on small entities. Entities, especially small businesses, are encouraged to quantify the costs and benefits of any reporting, recordkeeping, or compliance requirement that may be established in this proceeding. We anticipate the information we receive in comments including, where requested, cost and benefit analyses, will help the Commission identify and evaluate relevant compliance matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the Further Notice. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 29. The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.” 5 U.S.C. § 603(c)(1)–(4). 30. In this Further Notice, we seek comment on whether we should harmonize the existing requirements governing customer access to CPNI 47 CFR § 64.2010. with the SIM change authentication and protection measures adopted in the Report and Order, and if so, the extent to which the rules should be harmonized. Among the justifications on which we seek comment are whether inconsistent rules are more burdensome on carriers and whether carriers need flexibility to implement more secure authentication measures. We also tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers. In considering additional alternatives, we also ask whether it would it be costly and burdensome for carriers to adjust the CPNI authentication and protection practices they have already implemented to comply with the authentication requirements adopted in the Report and Order, and whether there are other reasons harmonized rules could increase the costs or burdens on carriers, including small carriers. Regarding notification to customers of failed authentication attempts, the Further Notice seeks comment whether the Commission should require immediate notification by all telecommunications carriers or only wireless providers. The Further Notice also asks whether providers should be required to notify customers immediately of all failed authentication attempts, or whether instead to permit carriers to employ reasonable risk assessment techniques to determine when failed authentication attempts require customer notification, or require notification only in instances of multiple failed attempts or when there is reasonable suspicion of fraud. The Commission expects to consider the economic impact on small entities, as identified in comments filed in response to the Further Notice and this IRFA, in reaching its final conclusions and taking action in this proceeding. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 31. None. Federal Communications Commission FCC 23-95 STATEMENT OF CHAIRWOMAN JESSICA ROSENWORCEL Re: Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Report and Order and Further Notice of Proposed Rulemaking (November 15, 2023). If you want to know something about someone, just look at their phone. Because our phones do more than just connect us to friends and family. They are a record of where we have been and who we are. For many of us, these devices are internet gateways to our bank accounts, health records, social media profiles, and more. The convenience of accessing all of this through our phones is undeniable. But it also makes our devices a growing target for fraud—like SIM-swapping scams. SIM cards are the dime-sized chips that are inserted into a mobile phone to identify and authenticate subscribers. When you want to upgrade your device, transferring your SIM card makes it easy to move your subscriber information to a new phone. But that’s where fraudsters step in. A bad actor can call up your wireless provider and convince the customer service representative on the other end of the line that you really need to transfer your SIM card to a new device—a device that is in their control, not yours. If they are successful, they can divert two-factor authentication messages to drain your bank account, take over your social media profile, and hijack your e-mail. The Federal Bureau of Investigation reports SIM-swapping scams are on the rise. But they are not alone. Because we see it here, too. At the Federal Communications Commission we are getting more and more complaints from consumers who have suffered losses due to SIM-swapping fraud. On top of this, the Cyber Safety Review Board at the Department of Homeland Security recently released a report investigating a bad actor responsible for extortion of a mix of companies and government agencies though SIM-swapping fraud. The report recommended that we take action to support consumer privacy and cut off these scams. That is exactly what we do today. We require wireless carriers to give subscribers more control over their accounts and provide notice to consumers whenever there is a SIM transfer request, in order to protect against fraudulent requests made by bad actors. We also revise our customer proprietary network information and local number portability rules to make it harder for scam artists to make requests that get them access to your sensitive subscriber information. We take these steps to improve consumer privacy and put an end to SIM scams. Because we know our phones know a lot about us. They are an entry to our records, our accounts, and so much that we value. That is why across the board we need policies that make sure our information is secure. It is also why I created the Commission’s first-ever Privacy and Data Protection Task Force earlier this year. I want to thank them for their work on this initiative. I also want to thank Allison Baker, Emily Caditz, Callie Coker, Adam Copeland, CJ Ferraro, Trent Harkrader, Melissa Kirkel, Chris Laughlin, Jodie May, and Jordan Reth from the Wireline Competition Bureau; Diane Burstein, Eliot Greenwald, Erica McMahon, Ike Ofobike, Suzy Rosen Singleton, Karen Schroeder, Kristi Thornton, and Kimberly Wild from the Consumer and Governmental Affairs Bureau; Loyaan Egal, Michael Epshteyn, James Graves, Phil Rosario, Kimbarly Taylor, Kristi Thompson, and Shana Yates from the Enforcement Bureau; Justin Cain, Ken Carlberg, Debra Jordan, Nicole McGinnis, Zenji Nakazawa, Erika Olsen, and Austin Randazzo from the Public Safety and Homeland Security Bureau; Garnet Hanly and Jennifer Salhus from the Wireless Telecommunications Bureau; Mark Azic, Patrick Brogan, Chelsea Fallon, Eugene Kiselev, Eric Ralph, and Emily Talaga from the Office of Economics and Analytics; Andrea Kearney, Doug Klein, Richard Mallen, and Derek Yeo from the Office of General Counsel; and Joycelyn James and Joy Ragsdale from the Office of Communications Business Opportunities. 2 STATEMENT OF COMMISSIONER GEOFFREY STARKS Re: Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-34, Report and Order and Further Notice of Proposed Rulemaking (November 15, 2023). It’s a frightening thought – that a stranger could successfully impersonate you to your phone company, and in one conversation gain access to your primary means of communication. But this is more than a thought, it’s reality. Bad actors are taking advantage of the services that let you keep your old number when you change phones or providers, leveraging identity authentication protocols and underdeveloped fraud response systems to, essentially, steal your phone and your account – without ever gaining physical control of it. These scams – SIM swap and port-out fraud – don’t just put wireless account access and details at risk. Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on. Consumers must be able to count on secure verification procedures and reliable privacy guarantees from their wireless providers. And they should be able to go about their day without fearing that someone, somewhere, might take control of their phone without a single warning sign. Today, we take action to provide that security. This order updates the Commission’s existing Customer Proprietary Network Information (“CPNI”) and Local Number Portability (“LNP”) rules to protect against SIM swap and port-out fraud. While the framework we implement today is responsive to the current scope of these deceptive practices, it is also forward-looking. We require wireless providers to adopt secure authentication methods and to immediately notify customers of SIM change or port-out requests before they are processed, among other things. But we emphasize that these are baseline requirements, rather than prescriptive rules. In doing so, we acknowledge two things the record makes clear: first, that many providers may already have certain protective measures in place that may fulfill some of these new requirements, and second, that the threat landscape is rapidly evolving, and providers need flexibility to adopt and adapt their security methods accordingly. Cell phones are near-ubiquitous, and many Americans rely on them as their sole means of connection, as well as the key to their many online accounts. The Commission’s statutory duty to safeguard consumer privacy within the telecommunications space, and our unparalleled regulatory expertise within that space, gives rise to the strength of today’s item. I thank the Chairwoman for her focus and leadership on these issues, and I thank the Commission staff for their excellent work on this item. It has my full support. 2 STATEMENT OF COMMISSIONER ANNA M. GOMEZ Re: Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Report and Order and Further Notice of Proposed Rulemaking (November 15, 2023). Phone numbers are a lifeline. In addition to keeping us connected to our family and friends, our phone numbers are associated with a variety of digital accounts used for everything from banking to healthcare. And now, messages sent to our phones for multifactor authentication are also used to grant access to these accounts that hold so much of our personal information.   Through two types of fraudulent activity, SIM swapping and number port-outs, malicious actors are able to take over control of a victim’s phone, meaning phone number, without ever accessing their physical phone. Then, using this control, they go after the sensitive consumer information they now have access to. This is unacceptable.  Today, we take meaningful steps to protect consumers against SIM swap and port-out fraud. We will require more secure customer authentication, notify consumers before a SIM swap occurs, and provide the option for consumers to lock their SIM to prevent changes.   Thank you to the Wireline Competition Bureau for your work on this item and to Chairwoman Rosenworcel’s office for incorporating our edits that ensure notifications are available in consumers’ language of choice.  DECLARACIÓN DE LA COMISIONADA ANNA M. GOMEZ Re: Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Report and Order and Further Notice of Proposed Rulemaking (November 15, 2023). Los números de teléfono son un salvavidas. Además de mantenernos conectados con nuestra familia y amigos, nuestros números telefónicos están asociados con una variedad de cuentas digitales que se utilizan para todo, desde los trámites bancarios hasta la atención médica. Y ahora, los mensajes enviados a nuestros teléfonos para la autenticación multifactorial también se utilizan para otorgar acceso a estas cuentas que contienen gran parte de nuestra información personal.  A través de dos tipos de actividad fraudulenta: el intercambio de tarjetas SIM y la transferencia de números (la estafa “port-out”, en inglés), personas malintencionadas pueden adueñarse del número telefónico de una víctima, sin siquiera acceder a su teléfono físico. Luego, buscan la información confidencial del consumidor utilizando su número telefónico para lograr acceso a los datos. Eso es inaceptable.  Hoy, tomamos medidas significativas para proteger a los consumidores contra el fraude de transferencia y el cambio de tarjetas SIM. Requeriremos una autenticación de cliente más segura, notificaremos a los consumidores antes de que se produzca un intercambio de tarjetas SIM y brindaremos a los consumidores la opción de bloquear su tarjeta SIM para evitar cambios.  Agradecemos a la oficina de competencia en línea fija (Wireline Competition Bureau) por su trabajo en este tema, y a la oficina de la presidenta de la FCC, Jessica Rosenworcel, por incorporar los cambios que hemos sugerido para garantizar que las notificaciones estén disponibles en el idioma elegido por los consumidores.