Know Your Customer: FCC Requirements Explained

Michael Tindall

…and other ways to protect your reputation

Lately there’s been a lot of focus on “Know Your Customer,” or KYC. While that seems relatively intuitive, what specifically does it mean for telecommunications in the cloud, and compliance in particular? For starters, KYC is at the heart of STIR/SHAKEN legislation, with the Federal Communications Commission (FCC) initially requiring that every VoIP provider know their customers well enough to assign an appropriate attestation level and document every user’s business information—and now get to know their immediate upstream providers, as well.

New Requirements from the FCC

Most recently, the FCC has mandated several new requirements for providers, effective January 8, 2024. The Cloud Communications Alliance sums them up as:

  • All voice providers must fully respond to requests to traceback illegal calls within 24 hours.
  • All originating voice service providers must block illegal traffic upon notification by the FCC that they are carrying identified illegal traffic. Traffic substantially similar to the identified illegal traffic must also be blocked. This replaces a current rule that requires originating providers to take mitigating action (but not necessarily block) traffic upon FCC notice.
  • If a provider receives a notice described above but is not the originating provider, it must immediately identify the upstream provider and take lawful steps to mitigate the traffic.
  • Providers downstream of an originating or gateway provider that fails to block calls after FCC notification must block all traffic from that provider. The FCC will issue an order identifying the provider whose traffic must be blocked.
  • All intermediate and terminating providers must take steps to know their immediate upstream provider (called Know Your Customer or KYC). This effectively makes all providers in the call path responsible for the calls that transit their networks. The FCC does not define the exact due diligence steps to be taken other than that they are effective.  Examples of effective steps include obtaining a physical address, contact person(s), state or country of incorporation, federal tax ID, and understanding the nature of the upstream provider’s business. Commio abides by these requirements and collects this information from our customers.

The FCC’s order also requires providers to update their robocall mitigation plan filed in the Robocall Mitigation Database (RMDB) to certify compliance with these new obligations (you can see Commio’s here under “thinQ”).  The deadline for updating the RMD filing has not yet been set, but will likely occur in mid-2024.

Know Your Customer Standards

In support of communications providers adopting KYC as a mechanism “to prevent and mitigate fraudulent and illegal activity” around calling, our friends at Numeracle have developed Model Standards for Know Your Customer. Specifically, the document covers:

Know Your Customer Standards (Numeracle)

To get a copy of Numeracle’s model standards, visit

  • KYC roles and responsibilities within your organization
  • A list of information required of each customer, including contact details, products and services, and an understanding of how they will utilize calling
  • The differences between “Communicating End Entity (CEE)” customers vs. “Communication Service Provider (CSP)” customers
  • Red flags, and customers who require enhanced due diligence 
  • Metrics that should be monitored on an ongoing basis
  • How to handle trial accounts, and more

All providers are strongly encouraged to review the standards and establish a documented approach to knowing their upstream and downstream providers But what else should providers do to prepare for the new mandates?

A Plethora of Possibilities to Monitor

Per the latest decree from the FCC, providers are to take “reasonable and effective steps”—or as the Cloud Communications Alliance refers to it above, “The FCC does not define the exact due diligence steps to be taken other than that they are effective.” In other words, providers must be “effective” but “reasonable” steps are anybody’s guess!

That said, providers would be ill advised to wait until the FCC offers specifics. KYC standards are a great start, but there is also a wealth of technology to consider. As just one example of how to monitor and address fraudulent activity, Commio has approached the issue from a data analytics and storage perspective. Although Commio utilizes proprietary technology, here are some aspects to consider.

  • What data do you need to track? Identify the critical pieces of raw data, where this data resides in your network, and how the network might need to be reconfigured so that the data can get where it needs to go. (Also take into consideration data centers and cloud environments.)
  • How to measure for fraud? Once you have the raw data and a storage plan, decide how to use the data to determine what qualifies as “normal” vs. “fraudulent” activity. Identify historical calling patterns vs. current patterns using data such as length of call, network efficiency ratios, country of origin relative to the specific account, etc. (OpenSIPS 3.2 is a great building block for this part!)
  • How to enforce against fraud? Once you’ve identified questionable patterns, you need to ensure that every part of the network that needs to know about it is made aware. Sequence is critical! Focus on the less CPU or network intensive operations first, so that you don’t waste resources on calling that will end up blocked. There are excellent (and free) tools such as Memcached, redis and Couchbase to help with this step.

To hear more about this approach, review the webinar video titled “Everything You Know About STIR/SHAKEN is Wrong!

* * * * *

Regardless of the data or tools you choose to help you get to know your customers and upstream providers, it’s vital to create a well-defined process with assigned responsibilities before the FCC comes calling. Even more importantly, blocking fraudulent calls before they move downstream will optimize your reputation and help ensure that your legitimate customers’ calls are delivered.

Essential Guide for Cloud Communications Compliance & Cybersecurity:

Download the full eBook


Part 1: Compliant Calling in the Cloud – Call Compliance, STIR/SHAKEN | Dialing Strategies | Dealing with SPAM Labels

Part 2: Text Messaging Compliance – Getting Started with Messaging Campaigns | Different Messaging Types, Compliance | Long Code Compliance Checklist | 7 Traits of a Good Provider

Part 3: Securing Your Voice & Messaging Business – Empowering Your Team | The Human Element | Cybersecurity 101 | Know Your Customer! | The Robocall Mitigation Database | Toll Fraud

Date posted: August 30, 2023

Topic: International   Outbound   Outbound Voice   Toll-Free   Uncategorized  

Tags: Know Your Customer   STIR SHAKEN   VoIP Fraud  

Michael Tindall

Michael Tindall leads Commio's product development and engineering teams. While attending Clemson University, Michael co-founded Tsoft Solutions, purchased by ClearSky Networks. Next he built and ran support for US Networks. Michael then worked for Bandwidth till he was approached by Aaron Leon to build a cloud-based routing system. The rest is history. Michael is a “40 under 40” winner, and one of only 18 OpenSIPS Certified professionals worldwide. When not coding the future of telecom, you’ll find him enjoying movies, cars, entertaining, and exercising.

Recent posts from Michael Tindall

Get the latest from Commio

We’ll send you one email a month featuring our latest blog content.