appliedbits
DISPATCH  ·  Regulatory Watch PUBLISHED
PUBLISHED 2026-05-23

Week ending May 22, 2026

Two big items dropped on the same day. On Wednesday, May 20, the Commission adopted — and released Thursday — the Know-Your-Upstream-Provider Further NPRM (FCC-26-32), the STIR/SHAKEN overhaul that the ex parte traffic had been telegraphing for a month. What had been a circulation draft now has a paragraph count and a forfeiture schedule. The same week, the comment clock on the customer-service onshoring NPRM (CG 26-52) — a proceeding that is really about who overseas gets to touch consumers’ sensitive personal information — ran down, the Bureau granted a week’s extension, and the trade associations showed up in force. The two proceedings share a docket and a roster of filers, so the week reads as one continuous argument about who you have to trust before a call connects: the provider upstream, and the human (or the AI) on the other end of the line.

The KYUP Further NPRM is finally on paper

The headline is no longer a circulation draft. FCC-26-32, Call Authentication Trust Anchor / Advanced Methods to Target and Eliminate Unlawful Robocalls (WC 17-97, CG 17-59), was adopted May 20 and released May 21, with separate statements from Chairman Carr and Commissioners Gomez and Trusty. The comment date is 30 days after Federal Register publication; replies 60 days. The introduction lays out three goals in plain terms: “(1) cutting voice service providers that enable robocalls out of the voice ecosystem through improvements to know-your-upstream-provider (KYUP) requirements and STIR/SHAKEN oversight; (2) raising the standards for how voice service providers apply STIR/SHAKEN attestations to calls so attestations are more trustworthy; and (3) closing STIR/SHAKEN implementation loopholes.”

The most concrete piece is the KYUP due-diligence specification in Section III.A — and it is more prescriptive than the draft language the ex partes had been reacting to. The Commission proposes that originating and intermediate providers actively vet upstream providers’ commercial presence, looking for “excessive spelling and grammatical errors, being created recently, apparent copying of another company’s website, apparently fake customer reviews, or use of fake photos for leadership and listed employees (e.g., stock photos, potentially AI-generated photos, or photos of persons with no relationship to the provider).” It is a small phrase, but worth flagging: the FCC is now writing AI-generated synthetic media into the affirmative diligence a provider owes about the company feeding it traffic. The vetting list also pulls in foreign-adversary control — whether an upstream is “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” — which quietly wires the Covered-List frame into the robocall regime.

On attestations, the Commission proposes to codify the A/B/C levels and to attach prohibitions to improper signing, and it makes its case with the enforcement record. The FNPRM revives the Lingo matter as Exhibit A: the Commission “found that Lingo Telecom applied A-level attestations to 3,978 spoofed robocalls carrying a deepfake generative AI voice message purporting to be from then-President Joe Biden.” It then stacks on the data that A-level attestation has become nearly meaningless as a trust signal — “93.4% of robocall traffic from the most prolific robocall signers now carry A-level attestations” and “48 percent of illegal calls are A-attested,” with an American Bankers Association analysis finding that of 12,900 calls spoofing 47 large banks, retailers, and healthcare providers, “more than half of the calls received an A-level or B-level attestation.” That is the rationale for tightening who may sign at what level, and it is the part of the item most relevant to anyone building verified outbound voice.

Two more structural notes. The FNPRM carries forward the TRS-attestation problem the relay providers raised in early May — Section III.D.1 is specifically “STIR/SHAKEN for TRS Providers,” so that ask landed inside the item rather than being deferred. And on enforcement, the proposed forfeiture schedule prices a “Per call know your upstream provider violation” at $2,500, the number that will concentrate minds at the smaller originating providers once this is final.

The first reactions are already in. Cape (Private Tech Inc.) filed a May 21 ex parte that goes straight at the KYC half of the regime, urging the Commission “to decline to adopt the proposed universal KYC collection of name, physical address, government-issued identification number, copy of government-issued ID, and an alternate telephone number” before service, arguing instead for an incentive-based approach that “would incentivize current and future innovation in support of fighting illegal calls without the need for prescriptive, blanket KYC requirements.” Cape also points abroad, noting that the United Kingdom, Belgium, Germany, and “a number of other European jurisdictions” have had success requiring domestic carriers to block inbound international calls that display domestic numbers — a reminder that a U.S.-only KYC mandate does nothing about the foreign-originated traffic the FNPRM itself flags in Section III.D.2.

One bit of procedural color: the Office of General Counsel released DA-26-522 on May 22, a Notice of Prohibited Presentation, flagging that a party made a written presentation in 17-97/17-59 during the Sunshine Agenda period — after ECFS was already warning filers that “your filing may be subject to a prohibition at this time.” Somebody filed through the warning. The appendix names the party; worth a glance for who was overeager.

The onshoring NPRM comment cycle goes loud

The week’s second engine is CG Docket 26-52, Improving Customer Service and Protecting Consumers Through Onshoring (cross-listed with CG 17-59, 02-278, and 22-2; the underlying item is FCC 26-16, released March 27). Strip away the customer-service framing and this is a data-access-and-disclosure proceeding: it proposes to limit foreign call centers’ handling of consumers’ sensitive personal information, to require disclosure when a call is handled offshore, and to offer callers a transfer to a domestic center. Comments were due May 26; on May 21 the Consumer and Governmental Affairs Bureau issued DA-26-510, a 7-day extension that resets the dates to June 2 for comments and June 29 for replies — “a brief extension [that] will help commenters to develop more comprehensive responses … without jeopardizing the Commission’s ability to move forward expeditiously.” That extension is why the filings clustered at week’s end, and the lineup splits cleanly.

On the supporting side, the America First Legal Foundation filed in favor of the rule, framing onshoring of customer-support call centers as a quality-of-life and national-security win and leaning on its own track record against the agency — it reminds the Commission that the Fifth Circuit “adopted AFL’s argument that the FCC lacked statutory authority” to collect broadcaster race and sex data, a not-subtle signal about who will litigate the authority question whichever way it breaks.

On the opposing side, the tech and creditor trades arrived together. CCIA argued the proposed measures, “unless scoped appropriately, are likely to be inconsistent with international trade commitments the United States has undertaken and that Congress has approved,” and are otherwise “overly burdensome and not necessary to ensure adequate customer service.” TechNet made the cleaner version of the data-security point: “The standard for protecting sensitive consumer data should turn on whether the data is actually protected, not on where the human representative is sitting. The Commission should focus on meaningful data security and privacy practices with audit trails that many leading companies already use.” That “outcomes, not location; stay technology neutral” framing is the through-line of the opposition — and it is the same argument, almost word for word, that the analytics and KYC filers make against prescriptive rules in the robocall dockets. ACA International, for the debt-collection industry, pressed the authority and parity arguments in a six-docket ex parte: the Commission “lacks the requisite authority to impose the proposed regulations on non-communications companies,” offshore call-center service quality “equaled or exceed[s] that of onshore call centers,” “consumer privacy was equally protected because offshore call centers do not store information in offshore servers,” and existing law — the FTC Safeguards Rule, the Fair Debt Collection Practices Act — already covers the field.

Folded into the same comment cycle is the synthetic-voice angle worth pulling out. Contact Center Compliance Corp. (DNC.com) commented that any offshore-disclosure-and-transfer obligation on prerecorded or artificial-voice messages “would also include AI-generated voice content used in legitimate outbound calling,” and it argues the lawful baseline explicitly: “A prerecorded or artificial voice call or an AI-generated voice call is entirely lawful when the caller has obtained proper consent and complies with applicable disclosure and identification requirements.” This is the first place I have seen a commenter try to fix the regulatory status of AI-generated voice as a first-class, consent-gated category inside an FCC robocall docket rather than treating it only as a fraud vector. If the Commission picks up that language, “AI-generated voice” stops being shorthand for the Biden-deepfake threat model and becomes a defined, permissible call type with its own disclosure rules — a meaningful distinction for anyone building branded or verified outbound voice.

Branded calling, vanity numbers, and a fake-AI enforcement bookend

A couple of items round out the trust-signaling picture from the display side. Ignition, LLC filed a thoughtful comment on branded caller ID (02-278/17-97/17-59) that supports the Commission’s direction — “transmitting verified caller name, logo, and call reason to the called party’s handset” — but flags a gap: the framework “treats the originating number purely” as a number, and ignores the vanity toll-free brands businesses have spent decades training consumers to trust. Ignition wants the Commission to seek comment on “an optional, verified alpha-mnemonic representation of vanity toll-free numbers” carried via Rich Call Data and subject to the same identity vetting as the rest of the branded-calling regime — so a verified inbound call could display “1-800-GO-FEDEX” rather than ten digits. It is a narrow ask, but it sits right on the seam between number-based identity and brand-based identity that branded calling is supposed to bridge.

The enforcement bookend came from the FTC, and it is the week’s cleanest illustration of “fake AI plus manufactured consent.” The Commission announced settlements totaling $930,000 with Cox Media Group ($880,000), MindSift, and 1010 Digital Works ($25,000 each) over the “Active Listening” marketing service. CMG and partners claimed an AI tool that listened to consumers’ conversations through smart devices, in real time, to target ads — and claimed consumers had opted in. Per the FTC, the service “did not, in fact, listen in on consumers’ conversations or use voice data at all,” but instead resold marked-up email lists from data brokers, and “clicking through mandatory terms of service … does not constitute opt-in consent for voice data collection inside consumers’ homes.” The interesting part isn’t the imaginary microphone; it is that the FTC is policing the consent fiction — the same gap DNC.com is trying to paper over on the FCC side, where the legitimacy of an AI-voice or data-driven outreach turns entirely on whether real consent exists. Two agencies, same fault line.

Honorable mentions

A few items that don’t fit a theme but are worth knowing. S&P Global Mobility’s IHS Markit unit, through Monument Advocacy, supplemented its 02-278 emergency declaratory-ruling petition on using additional outreach channels for motor-vehicle recall notices — a TCPA-consent matter with a public-safety hook, live in 02-278. On the numbering side, the Wireline Competition Bureau released FCC-26-35, an NPRM modernizing the High-Cost program (WC 26-96/10-90) — out of the core scope but in the neighborhood — and a steady drip of small-carrier RDOF milestone-waiver petitions (MTC Communications, WTC Communications) continued in 10-90/19-126; routine, no Tier-1 names. Joe Shields filed another individual petition for declaratory ruling in 02-278, and a handful of express comments (Christina Peterson, Amanda, Raphael C.) landed on 17-59 in the KYC wash. A Public Knowledge / NDIA ex parte on the “Connectivity Policy Corps” (22-2) is digital-equity territory rather than trust-and-signaling — noted in passing.

Looking ahead

Four things for next week. First and most concrete: the June 2 onshoring comment deadline (with June 29 replies) — expect the volume to keep climbing, and watch whether USTelecom, INCOMPAS, or the major carriers weigh in on the data-access question, because the “outcomes not location” framing from CCIA and TechNet will either harden into the consensus industry position or get split by carriers who see an onshoring mandate as a competitive lever. Second, Federal Register publication of FCC-26-32, which starts the 30/60 KYUP clock; once it publishes, the scattered ex partes (ZipDX, the TRS coalition, Cape) convert into a formal comment cycle on named text, and the per-call $2,500 forfeiture and the codified attestation levels become the live fights. Third, trade-association KYUP responses — the same names opposing prescriptive onshoring rules (CCIA, TechNet, ACA) are the ones most likely to argue the KYUP diligence list is too prescriptive, so watch for the arguments to cross-pollinate between 26-52 and 17-97. Fourth, keep an eye on whether anyone runs with DNC.com’s “AI-generated voice as a lawful, consent-gated category” framing; if a larger filer or a Commissioner statement adopts it, that is the moment AI voice gets a defined regulatory lane rather than living only in the deepfake threat model.