FCC Proposes Expanded KYUP Rules, Enhanced STIR/SHAKEN Standards for Voice Providers

Key Takeaways

The Federal Communications Commission (FCC) adopted a Further Notice of Proposed Rulemaking (FNPRM) proposing significant changes to the robocall mitigation framework that would require voice service providers (VSPs or providers) to step up due diligence on the traffic on their networks and block unauthenticated Session Initiation Protocol (SIP) calls at all points in the call path. The item focuses on strengthening "know-your-upstream-provider" (KYUP) obligations, tightening STIR/SHAKEN attestation practices, and closing perceived gaps in caller ID authentication implication.

If adopted, the FNPRM would:

• Establish five mandatory KYUP baseline compliance categories applicable to all VSPs, which would apply at multiple stages of the provider relationship—including before entering into upstream provider agreements, when renewing or renegotiating existing agreements, and when new information about an upstream provider arises.
• Require VSPs to describe their KYUP practices in robocall mitigation database filings and maintain supporting records.
• Codify the A-, B-, and C-level STIR/SHAKEN attestation framework and establish clearer rules governing how those attestations may be assigned to calls.
• Expand oversight of the Secure Telephone Identity Governance Authority (STI-GA)[1] and strengthen vetting requirements for providers seeking Service Provider Code (SPC) tokens.
• Require retail VSPs to determine attestation-levels for SIP calls, which would impose new obligations on VSPs that directly serve end users, such as resellers and contact center service platforms.
• Require VSPs to notify the FCC and STI-GA when they reasonably believe another provider may be transmitting illegal calls or violating authentication rules.
• Implement enhanced monetary penalties for KYUP violations, improper attestations, and failures to implement STIR/SHAKEN.

This advisory summarizes each of the above and other FNPRM proposals in detail. Readers interested primarily in the practical implications for industry participants may wish to review the Potential Impact section at the end of the advisory, which highlights the key operational. compliance, and enforcement consequences for VSPs and related industry participants.

Background

The FNPRM builds on the FCC's robocall mitigation framework and the STIR/SHAKEN caller ID authentication system, which enables VSPs to digitally sign and verify caller ID information for IP‑based calls to deter spoofing and help identify trusted sources. The framework also relies on the Robocall Mitigation Database (RMD) and associated rules, which require VSPs to certify their robocall mitigation practices and prohibits VSPs from accepting calls from providers not listed in the RMD. Additional elements include call blocking rules, traceback coordination requirements, and due diligence obligations applicable to both customers and other providers in the call path.

In April 2026, the FCC adopted a separate Know‑Your‑Customer (KYC) FNPRM addressing VSP vetting of end‑user customers—a distinct issue from that being addressed in this newer FNPRM, which is focused on VSP vetting of other providers from which they receive traffic. The FCC argues that additional measures proposed in the current FNPRM are necessary because the effectiveness of STIR/SHAKEN and related tools depends heavily on provider compliance. Indeed, as the FNPRM explains, enforcement actions and industry data show that some providers continue transmitting illegal calls or applying improper attestations, allowing bad actors to exploit weaknesses in the existing robocall mitigation framework.

Expanded KYUP Requirements

The FNPRM proposes to replace the FCC's existing KYUP rule with a more detailed set of baseline compliance obligations that would apply to all VSPs.

Currently, providers must take "reasonable and effective steps" to ensure that upstream VSPs are not transmitting large volumes of illegal calls. The FCC now proposes to require providers to take "affirmative, effective measures" to prevent upstream VSPs from transmitting any illegal calls, not merely high volumes of such traffic. To operationalize this requirement, the FCC proposes five baseline KYUP categories: (i) information collection; (ii) compliance review; (iii) information verification; (iv) monitoring; and (v) responsive action.

Information Collection

The FCC proposes requiring providers to collect extensive information directly from upstream VSPs before establishing or renewing service relationships, including:

• Basic corporate and contact information (including prior business names or trade names);
• Ownership and affiliate relationships, including beneficial owners;
• Operational and corporate formation records;
• Financial and billing information;
• Online presence and commercial activity; and
• Details about the services the upstream VSP offers and the customers it serves.

Compliance Review

The FCC proposes requiring VSPs to conduct regulatory compliance checks verifying that each of their upstream VSPs:

• Has an active RMD filing;
• Has obtained an SPC token if it claims STIR/SHAKEN implementation;
• Has not been subject to certain FCC enforcement actions or licensing revocations; and
• Does not appear on national security-related lists such as the Covered List or Foreign Adversary Control System.

VSPs would also be encouraged to evaluate an upstream VSP's traceback history and robocall mitigation practices.

Information Verification

The proposal would require providers to verify the upstream VSP's legitimacy using basic diligence steps, which may include:

• Confirming that listed contact information is valid;
• Speaking directly with company principals;
• Reviewing websites and public records; and
• Investigating potential inconsistencies regarding the upstream VSP's ownership, location, and/or operations.

The FCC also suggests comparing information across providers to detect potential shell entities or replacement companies created by previously sanctioned actors.

Monitoring

The FCC proposes ongoing VSP monitoring requirements, including:

• Periodic checks of upstream VSP regulatory status;
• Use of call analytics to detect suspicious traffic patterns;
• Review of traceback information and enforcement developments; and
• Evaluation of new information suggesting improper authentication or suspicious call origination.

Responsive Action

Finally, VSPs would be required to take responsive action when KYUP monitoring identifies significant risks related to an upstream VSP. Under the FNPRM, providers must refuse or discontinue service when:

• The VSP lacks an "objectively reasonable basis" to conclude the upstream VSP is legitimate;
• Evidence suggests the upstream VSP is transmitting illegal calls;
• The upstream VSP lacks required regulatory filings or authentication credentials; and/or
• The upstream VSP has been subject to significant regulatory enforcement actions.

The FCC proposes a safe harbor from the agency's call blocking rules to better spur providers to take action and make objectively reasonable decisions to refuse or discontinue a relationship with an upstream VSP. The FCC also proposes associated record retention and documentation requirements supporting refusal or discontinuance decisions and asks whether and how VSPs should be permitted to use third-party due diligence services to support VSP decisions.

Increased Oversight of the Secure Telephone Identity Governance Authority

Today, the STIR/SHAKEN framework operates through an industry-led governance structure that includes STI-GA, a Policy Administrator, and Certification Authorities that issue digital certificates used to sign calls. The FNPRM proposes a significant shift to greater federal involvement and oversight.

SPC Token Vetting

The FCC proposes requiring STI-GA to strengthen its policies for issuing SPC tokens. The new vetting procedures would incorporate KYUP-style diligence measures similar to those described above, including information collection and verification requirements. The FCC proposes requiring STI-GA to deny tokens when there is reason to believe an applicant will not comply with STIR/SHAKEN obligations.

Certification Authority Vetting

The FCC proposes additional scrutiny and clearer selection criteria for entities seeking to act as Certification Authorities. The FCC seeks comment on whether conflict-of-interest rules should apply to Certification Authorities with relationships to VSPs, including when they are also acting as VSPs.

Revocation and Enforcement

The FCC proposes requiring STI-GA to take a more active role in identifying the misuse of SPC tokens and certificates. Proposed measures include: (i) formal information-sharing arrangements with traceback organizations and analytics providers; (ii) procedures for investigating suspected violations; and (iii) processes for suspending or revoking tokens and removing Certification Authorities from the calling ecosystem.

Reporting and Appeals

The FCC seeks comment on establishing formal appeals processes for certain STI-GA decisions and requiring STI-GA to submit quarterly reports to the FCC describing enforcement actions, investigations, and complaints.

Raising STIR/SHAKEN Attestation Standards

Under the existing STIR/SHAKEN framework, originating providers assign one of three attestation levels to authenticated calls: (i) A‑level attestation, which indicates that the VSP knows the customer and can verify that the customer is authorized to use the calling number; (ii) B‑level attestation, which indicates that the VSP knows the customer but cannot confirm the customer's right to use the specific number; and (iii) C‑level attestation, which indicates that the VSP has no direct relationship with the call originator.

The FNPRM states that frequent improper attestations are undermining the usefulness of authentication data.

Codifying Attestation Standards

The FCC proposes to codify the three attestation levels so as to clarify expectations and provide a clearer enforcement framework.

Clarifying Attestation Criteria

The FCC proposes more specific rules governing when each attestation level may be used. For example, in an attempt to clarify which VSPs are eligible to assign higher attestation levels and provide real validation of traffic quality, the FCC proposes defining "origination" as the technological act of placing a customer's outgoing call onto the network using the VSP's own facilities. The FCC also proposes linking attestation eligibility to compliance with KYC and KYUP obligations, meaning that VSPs must satisfy all relevant due diligence requirements before asserting that they have a direct, authenticated relationship with a customer. To verify a customer's right to use a telephone number, the FCC proposes two acceptable mechanisms: (i) assignment of the number by the originating VSP; or (ii) use of delegate certificates, which allow VSPs to demonstrate authority to use numbers assigned by initiating providers.

Prohibiting Improper Attestations

The FCC also proposes explicitly prohibiting improper attestations, which would include assigning an attestation level inconsistent with the information a VSP possesses or is required to obtain. The FCC also seeks comment on prohibiting practices such as pay‑for‑attestation arrangements or other commercial incentives that influence attestation decisions.

Closing STIR/SHAKEN Implementation Loopholes

The FCC proposes changes intended to close gaps that allow calls to traverse networks without reliable authentication information.

Clarifying Provider Definitions

The FCC proposes adopting new or revised definitions for several key categories of providers (i.e., initiating, originating, intermediate, gateway, terminating, domestic, and foreign providers) as well as for other undefined, but frequently used, industry terms (e.g., upstream, downstream, customer, and end user). These definitions would clarify how STIR/SHAKEN obligations apply throughout the call path and ensure that all relevant VSPs are captured by the rules.

Repealing Certain Implementation Extensions

The FCC proposes eliminating the remaining implementation extension for VSPs unable to obtain an SPC token, concluding that such barriers no longer justify an exemption. The FCC also seeks comment on whether to eliminate the remaining extension for certain satellite‑based providers. Importantly, the exemption for providers that lack control of the network infrastructure necessary to implement STIR/SHAKEN would remain in place, and the FCC proposes to codify it.

Attestation Obligations for Providers Serving End Users

The FCC proposes requiring all retail VSPs to determine attestation levels for SIP calls placed by their users. Although facilities‑based providers would continue to perform the technical act of signing calls, this proposal would now also require certain resellers and contact center service platforms serving end users to make attestation decisions based on their knowledge of their end users.

Preserving Authentication Information

The FCC proposes several measures designed to ensure that authentication information persists throughout the call path. These include: (i) prohibiting VSPs from intentionally routing calls through non‑IP networks to strip authentication information; (ii) requiring providers to block unauthenticated SIP calls in certain circumstances; and (iii) requiring intermediate providers to authenticate certain calls they receive from non‑IP networks. The FCC believes these measures would reduce incentives for providers to route calls through legacy network segments to evade authentication requirements.

Additional Authentication Requirements

The FNPRM includes several operational proposals intended to strengthen the reliability of caller ID authentication information as calls traverse the network and to better ensure that authentication information remains available to terminating providers and call analytics systems. First, because of the suspicion that some VSPs currently use legacy network segments to strip authentication information and reduce scrutiny of suspicious calls, the FCC proposes prohibiting providers from originating or intentionally routing calls over non‑IP networks when an IP route is available. Second, the FCC proposes requiring intermediate and terminating VSPs to block SIP calls using North American Numbering Plan resources that arrive without authentication information, subject to exceptions for emergency communications. Third, the FCC proposes requiring intermediate VSPs to authenticate certain calls they receive from non‑IP networks before transmitting those calls over IP networks.

Additional Issues for Comment

Beyond the core KYUP and STIR/SHAKEN proposals, the FCC also seeks comment on several related issues. These include:

• Foreign‑Originated Illegal Calls and Gateway Provider Responsibilities. The FCC asks whether additional steps are needed to address illegal calls originating from abroad. It seeks comment on requiring gateway providers to scrutinize foreign upstream VSPs, identify nominally "domestic" providers that are actually foreign, and adopt stronger KYC and KYUP contractual requirements. The FCC also asks how these proposals would interact with Cross Border Call Authentication (CBCA) efforts and potentially prohibit gateway providers from accepting authentication information from foreign VSPs in the absence of CBCA.
• Applying STIR/SHAKEN to Telecommunications Relay Services (TRS) Providers. The FCC seeks comment on applying STIR/SHAKEN to TRS providers, including VRS, IP Relay, and IP CTS. It asks whether these providers qualify as VSPs, whether they should be treated as non‑facilities‑based providers, and whether STI-GA should modify its policy so they are able to obtain SPC tokens. The FCC also asks whether undue‑hardship extensions or alternatives (e.g., A‑level attestation treatment by downstream VSPs) may be appropriate.
• Potential Impacts on Public Safety Communications. The FCC asks how the proposals could affect public safety communications, including 911, NG911, and 988. It seeks comment on VSP operations in transitional TDM/IP emergency‑calling environments and whether VSPs should identify TDM conversions needed for 911 delivery. The FCC also asks whether suspicious 911 spoofing should be reported and whether call‑blocking and RMD carve‑outs should expressly cover calls to and from the 988 Suicide & Crisis Lifeline.

Enforcement and Implementation

To strengthen enforcement of its existing and newly proposed robocall mitigation rules, the FCC proposes new forfeiture amounts for certain violations. These include: (i) a $2,500 per-call base forfeiture for KYUP violations; (ii) a $1,000 per-call base forfeiture for improper attestations or unauthenticated calls; and (iii) a $2,500 base penalty for failing to implement STIR/SHAKEN. The FCC also proposes requiring VSPs to report suspected violations by other providers to both the FCC's Enforcement Bureau and STI-GA.

Potential Impact

Expanded Due Diligence for Upstream VSPs

The proposed KYUP framework would transform the current rule from a flexible standard into a more structured due diligence regime. If adopted, these requirements could require many VSPs—particularly wholesale carriers, resellers, and intermediate providers—to formalize onboarding, monitoring, and escalation procedures that currently may be handled informally or through contractual representations alone, which would be extremely resource-intensive.

Greater Exposure to Enforcement Risk

Proposed new forfeiture standards would be imposed on a per‑call basis—and, for some requirements, treated as continuing violations—so providers could face substantial enforcement exposure if compliance programs are not properly implemented. If adopted, VSPs will need to take even greater care to implement and document compliance measures to try to avoid enforcement actions and to bolster mitigation defenses in the event the FCC identifies a violation.

More Structured Attestation Decision Processes

The proposal to codify attestation criteria and link them to compliance with KYC and KYUP obligations would likely require providers to adopt more formalized attestation decision processes. Thus, if adopted, VSPs likely will need to reassess how they verify customer identity and number‑use rights before applying A‑ or B‑level attestations.

New Responsibilities for Resellers and Other Providers Serving End Users

The proposal requiring all providers that serve end users directly to determine attestation levels for those users' SIP calls could significantly affect resellers, hosted voice platforms, and enterprise communications providers that previously relied on facilities‑based partners to make authentication decisions. If adopted, these entities would need to participate more directly in the STIR/SHAKEN call ecosystem by evaluating end‑user relationships and providing attestation decisions that originating VSPs must apply when authenticating calls.

Expanded Oversight of the STIR/SHAKEN Governance Ecosystem

The FCC's proposals to expand oversight of STI-GA and strengthen SPC token vetting requirements could reshape how VSPs gain and maintain access to the authentication ecosystem. VSPs seeking to obtain or maintain SPC tokens may face additional diligence and monitoring requirements.

Interaction with the FCC's Parallel KYC Rulemaking

The KYUP proposals should also be considered alongside the FCC's separate KYC FNPRM, which focuses on VSPs' diligence requirements for their end‑user customers. If both proceedings ultimately result in new rules, VSPs could face parallel compliance frameworks, which would significantly expand the diligence, monitoring, and documentation obligations associated with providing voice services in the United States and accepting calls originating from abroad. Providers should consider these proceedings and their interactions with the FCC on these topics in tandem, as many arguments and proposals related to one of the FNPRMs will likely impact the other.

Conclusion

Interested parties should use this opportunity to address the scope of the proposed per-call penalties, additional obligations related to STIR/SHAKEN attestation standards, enhanced KYUP requirements, and the implications of increased oversight over STI-GA. Please let us know if you have any questions about the proposal or comment process.

Comments and reply comments on the FNPRM's proposals will be due 30 and 60 days, respectively, after the date of publication in the Federal Register, which has not yet occurred.

+++

John Nelson is counsel, and Victoria Randazzo and Marina Sansom are associates in the Washington, D.C. office of DWT. For questions or more insights, please reach out to the authors or another member of our communications team and sign up for our alerts.