…and other ways to protect your reputation
Lately there’s been a lot of focus on “Know Your Customer,” or KYC. While that seems relatively intuitive, what specifically does it mean for telecommunications in the cloud, and compliance in particular?
For starters, KYC is at the heart of STIR/SHAKEN legislation, with the Federal Communications Commission (FCC) initially requiring that every VoIP provider know their customers well enough to assign an appropriate attestation level—and now get to know their immediate upstream providers, as well.
New Requirements from the FCC
Most recently, the FCC has mandated several new requirements for providers, effective January 8, 2024. The Cloud Communications Alliance sums them up as:
- All voice providers must fully respond to requests to traceback illegal calls within 24 hours.
- All originating voice service providers must block illegal traffic upon notification by the FCC that they are carrying identified illegal traffic. Traffic substantially similar to the identified illegal traffic must also be blocked. This replaces a current rule that requires originating providers to take mitigating action (but not necessarily block) traffic upon FCC notice.
- If a provider receives a notice described above but is not the originating provider, it must immediately identify the upstream provider and take lawful steps to mitigate the traffic.
- Providers downstream of an originating or gateway provider that fails to block calls after FCC notification must block all traffic from that provider. The FCC will issue an order identifying the provider whose traffic must be blocked.
- All intermediate and terminating providers must take steps to know their immediate upstream provider, effectively making all providers in the call path responsible for the calls that transit their networks. The FCC does not define the exact due diligence steps to be taken other than that they are effective. Examples of effective steps include obtaining a physical address, contact person(s), state or country of incorporation, federal tax ID, and understanding the nature of the upstream provider’s business.
The FCC’s order also requires providers to update their robocall mitigation plan filed in the Robocall Mitigation Database (RMD) to certify compliance with these new obligations. The deadline for updating the RMD filing has not yet been set.
Know Your Customer Standards
In support of communications providers adopting KYC as a mechanism “to prevent and mitigate fraudulent and illegal activity” around calling, our friends at Numeracle have developed Model Standards for Know Your Customer. Specifically, the document covers:
- KYC roles and responsibilities within your organization
- A list of information required of each customer, including contact details, products and services, and an understanding of how they will utilize calling
- The differences between “Communicating End Entity (CEE)” customers vs. “Communication Service Provider (CSP)” customers
- Red flags, and customers who require enhanced due diligence
- Metrics that should be monitored on an ongoing basis
- How to handle trial accounts, and more
All providers are strongly encouraged to review the standards and establish a documented approach to knowing their upstream and downstream providers But what else should providers do to prepare for the new mandates?
A Plethora of Possibilities to Monitor
Per the latest decree from the FCC, providers are to take “reasonable and effective steps”—or as the Cloud Communications Alliance refers to it above, “The FCC does not define the exact due diligence steps to be taken other than that they are effective.” In other words, providers must be “effective” but “reasonable” steps are anybody’s guess!
That said, providers would be ill advised to wait until the FCC offers specifics. KYC standards are a great start, but there is also a wealth of technology to consider. As just one example of how to monitor and address fraudulent activity, Commio has approached the issue from a data analytics and storage perspective. Although Commio utilizes proprietary technology, here are some aspects to consider.
- What data do you need to track? Identify the critical pieces of raw data, where this data resides in your network, and how the network might need to be reconfigured so that the data can get where it needs to go. (Also take into consideration data centers and cloud environments.)
- How to measure for fraud? Once you have the raw data and a storage plan, decide how to use the data to determine what qualifies as “normal” vs. “fraudulent” activity. Identify historical calling patterns vs. current patterns using data such as length of call, network efficiency ratios, country of origin relative to the specific account, etc. (OpenSIPS 3.2 is a great building block for this part!)
- How to enforce against fraud? Once you’ve identified questionable patterns, you need to ensure that every part of the network that needs to know about it is made aware. Sequence is critical! Focus on the less CPU or network intensive operations first, so that you don’t waste resources on calling that will end up blocked. There are excellent (and free) tools such as Memcached, redis and Couchbase to help with this step.
To hear more about this approach, review the webinar video titled “Everything You Know About STIR/SHAKEN is Wrong!”
* * * * *
Regardless of the data or tools you choose to help you get to know your customers and upstream providers, it’s vital to create a well-defined process with assigned responsibilities before the FCC comes calling. Even more importantly, blocking fraudulent calls before they move downstream will optimize your reputation and help ensure that your legitimate customers’ calls are delivered.