FCC Proposes to Clarify and Expand Know-Your-Customer Obligations for Voice Providers

On April 30, 2026, the Federal Communications Commission (FCC) adopted a Further Notice of Proposed Rulemaking (FNPRM) seeking comment on proposals to expand and formalize Know-Your-Customer (KYC) obligations for originating voice service providers (VSPs) and to establish per-call penalties for violations of newly adopted KYC rules. The FCC also seeks comment on whether to create a safe harbor for VSPs that deploy effective AI or automated systems to support KYC compliance and prevent illegal calls.

Key Takeaways

• The FCC proposes to require originating VSPs to collect, retain, and verify specific customer information before provisioning service, including the customer's name, physical address, government-issued identification number, and alternate phone number. The FNPRM would also require additional diligence for "high-volume" customers as described below.
• The FCC proposes imposing a $2,500 per-call base forfeiture for originating VSPs that fail to take affirmative, effective measures to prevent customers from using their networks to originate illegal robocalls in violation of 47 CFR § 64.1200(n)(4), which imposes the affirmative KYC requirements on VSPs.
• The FCC seeks comment on whether AI or other automated technologies are currently used by originating VSPs for KYC compliance and whether effective AI-based fraud detection systems should shield providers from liability.
• The FCC also seeks comment on whether KYC obligations should differ for prepaid versus postpaid customers.

Core Elements of the FCC's Proposal

KYC Information Collection

Under 47 CFR § 64.1200(n)(4), a VSP must "[t]ake affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic." To date, the FCC has not imposed prescriptive KYC requirements, instead relying on a flexible, principles-based framework that allows providers to determine what measures are appropriate for their operations.

The FNPRM proposes to replace that approach with more prescriptive requirements. Originating VSPs would be required to obtain and retain the name, physical address, government-issued identification number, and alternate telephone number of any new or renewing customer before provisioning service. (It is not clear from the FNPRM what a VSP must do if a customer only has one telephone number on which they rely.)

The proposal would also require originating VSPs to collect additional information from high-volume customers, including the intended use of the service (i.e., education, marketing, political campaigns, etc.) and the IP address from which calls will originate (although the FCC recognizes that IP address designations will have limitations due to VPNs, etc.). The FNPRM also does not define "high-volume," instead proposing a flexible approach under which providers would determine what constitutes "high-volume" traffic in the context of their service offerings and individual customer characteristics. The FCC also seeks comment on several related definitions that could significantly affect implementation, including what qualifies as a "physical address," who should be considered a "new" or "renewing" customer, and how the rules should apply to foreign customers.

The FCC further asks whether KYC requirements should vary depending on whether the customer purchases prepaid or postpaid service. In particular, the FCC asks about current industry practices for collecting KYC information for prepaid customers, what measures are feasible when prepaid services are sold through third-party vendors, and whether prepaid customers can generate high volumes of illegal calls.

KYC Verification, Retention, and Reverification

The FNPRM would require originating VSPs to obtain documentation verifying a customer's identity, such as copies of government-issued identification. For high-volume customers, the FCC seeks comment on whether providers should collect additional documentation, including corporate formation records, confirmation that a telephone number is active and assigned to the customer, third-party verification of the customer's physical address, and evidence of an operational website or storefront.

The FCC identifies several indicators that could constitute red flags during customer vetting. These include the use of a registered agent, virtual office, or residential address as a commercial customer's physical address. Other potential red flags include a lack of commercial presence, a suspicious or nonfunctional website, an unusual email address, a mismatch between the customer's state of incorporation and stated address, and payment for services using nontraceable cryptocurrency.

The FCC further asks whether originating VSPs should be required to reverify KYC information when traffic patterns change or other red flags arise, such as where a domestic U.S. company is transmitting traffic from a foreign-based IP address or dormant accounts suddenly reappear and send large volumes of calls. Alternatively, the FCC asks whether providers should conduct periodic reverification. In addition, the FCC seeks comment on whether providers should retain collected KYC information for the full statute of limitations applicable to misuse of services to place illegal calls, which is four years following termination of the customer relationship.

Use of AI

In response to ex parte filings submitted before the FNPRM's adoption, the FCC seeks comment on whether AI and other automated technologies are currently used by originating VSPs to support KYC compliance. The FCC also asks whether effective AI-based systems, automated compliance tools, or accredited third-party identity verification services should function as a safe harbor for originating providers that deploy them.

Penalties

The FCC has issued KYC-related fines before, but the FNPRM would establish a per-call base forfeiture of $2,500 for violations of 47 CFR § 64.1200(n)(4), which imposes the affirmative KYC requirements for originating VSPs. Base fines may be adjusted upward under the criteria in 47 CFR § 1.80, which allows the FCC to consider factors such as the egregiousness of the conduct, the degree of intent, the harm caused, any economic gain, repeated or continuous violations, and the provider's prior compliance history. Importantly, the FCC appears to have already rejected the idea of a "per customer" penalty framework, noting that such a framework would only result in a single base forfeiture regardless of the number of calls transmitted and thus less likely to encourage future compliance.

Potential Extension of the KYC Framework

The FCC seeks comment on whether KYC compliance should be addressed more explicitly in Robocall Mitigation Database filings, whether originating providers should be subject to independent compliance audits or verification, and whether downstream providers should be required to block traffic from originating providers that fail to comply with KYC requirements similar to the safe harbor that allows terminating providers to generally block call traffic from bad-actor upstream VSPs.

Potential Impact

Expanded Compliance Obligations and Regulatory Uncertainty

The proposal would materially expand the compliance obligations of originating VSPs and increase enforcement risks associated with KYC information collection and verification failures. Although the FCC's proposal could provide greater clarity by specifying the information providers must collect, such clarity reduces flexibility that had afforded more protection from enforcement. The new and undefined "high-volume customer" standard could create additional uncertainty and require providers to comply with different obligations depending on a customer's classification.

Privacy and Data Security Risks

The proposal also raises meaningful privacy and data-security concerns. If adopted, it would require providers to collect and retain sensitive customer information, such as government-issued identification numbers and IP addresses. Concentrating this information in provider systems could increase the consequences of a data breach, insider misuse, or third-party vendor failure, particularly if providers must retain KYC records for multiple years after the customer relationship ends. Commenters may therefore wish to urge the FCC to incorporate data-minimization principles, clear retention limits, and robust security safeguards into any final rules.

Increased Enforcement Exposure

The proposed per-call penalty structure could significantly increase the financial exposure of originating voice service providers. A $2,500 per-call base forfeiture could escalate quickly when a single customer generates high call volumes, particularly because the FCC proposes to pair prescriptive KYC requirements with an undefined "high-volume customer" standard that may invite after-the-fact enforcement scrutiny of providers' determinations about its customers. To avoid unintended consequences, the final rule should implement safe harbor protections for providers that adopt and apply reasonable KYC practices in good faith, clarify that penalties apply only when an illegal call has occurred absent prior KYC vetting, and confirm that one-off or nonrecurring administrative deficiencies do not trigger enforcement liability.

Continued Spotlight on Robocall Mitigation at FCC's May 2026 Open Meeting

Keeping with its focus on illegal robocalls, the FCC approved at its May 2026 open meeting a "Know Your Upstream Provider" FNPRM, which proposes additional robocall mitigation regulations that tie into the agency's proposed KYC obligations. These include changes to the FCC's STIR/SHAKEN compliance framework and call attestation standards, modifications to the oversight obligations for the current STIR/SHAKEN Governance Authority, and new compliance and information collection obligations for downstream VSPs. We will cover this FNPRM more fully in a separate advisory.

Conclusion

Interested parties should use this opportunity to address the scope of the proposed per-call penalty rule, the implications of a risk-based framework built around an undefined "high-volume customer" standard, the effectiveness of AI and other automated technologies to detect bad actors and prevent illegal calls, and whether the proposal is likely to achieve the FCC's stated objectives. Please let us know if you have any questions about the proposal or comment process.

Comments and reply comments on the FNPRM's proposals will be due 30 and 60 days, respectively, after the date of publication in the Federal Register, which has not yet occurred.

+++

John Nelson is counsel and Victoria Randazzo is an associate in the Washington, D.C. office of DWT. For questions or more insights, please reach out to the authors or another member of our communications team and sign up for our alerts.