appliedbits
DISPATCH  ·  Regulatory Watch PUBLISHED
PUBLISHED 2026-06-20

Week ending June 12, 2026

A week ago the numbering NPRM was a footnote — three early comments waiting on a deadline. On Monday the deadline arrived and the proceeding became the whole front page. More than thirty comments landed in the WC 26-49 cluster (cross-listed across 20-67, 13-97, and 07-243), the trade associations arrived in close formation, and by midweek nineteen members of Congress had filed a letter of their own. The fight that organized almost the entire record was narrower than the NPRM’s title suggests: not robocalls in the abstract, but whether the Commission should restrict number cycling and squeeze multi-level number resale down to a single tier.

The number-cycling fight finds its battle lines

FCC 26-17, released in March, proposes three things the industry cared about this week: restrictions on number cycling, a limit on number resale to a “single level,” and an expansion of who has to file NRUF reports. On the resale and cycling questions, the major filers lined up with striking consistency. USTelecom, through Nirali Patel, urged the Commission “to avoid limiting number resale to a single level or imposing an outright ban on legitimate number cycling practices,” and to instead lean on “targeted modifications to NRUF reporting to assist with identifying the actual sources of numbering abuse.” ATIS, through Thomas Goode, made the same move on the merits: “number cycling is not inherently illegitimate and should not be treated as a reliable proxy for unlawful robocalling,” and a single-level resale limit “would reduce competition, increase costs, and disrupt providers serving niche or specialized markets.”

The Voice on the Net Coalition, through Glenn Richards, warned that “prohibiting number cycling will harm legitimate users and not limit fraud,” and that sub-resale restrictions tried elsewhere have “stifled innovation, favored incumbents, increased costs, and failed” on their own terms. INCOMPAS put the alternative most bluntly: the NRUF-centric proposals “are unlikely to yield meaningful benefits for reducing illegal robocalls” because “NRUF reports cannot be submitted frequently enough to keep up with companies specializing in illegal robocalling and the NRUF reports are not integrated with STIR/SHAKEN.” Its prescription — “[r]ather than focus on changing NRUF rules, the Commission should focus on accelerating full adoption of STIR/SHAKEN and addressing the existing limitations of that framework” — is the through-line connecting half a dozen of these filings. Twilio, through Paul Kenefick, backed “rigorous ‘Know Your Customer’ (‘KYC’) and ‘Know Your Traffic’ (‘KYT’) protocols” while calling the sub-assignment restrictions “premature, inconsistent with the Communications Act, and harmful,” and asking for “targeted, behavior-based regulations that close the phone number transparency gap.”

The most interesting filing for an identity reader came from Numeracle, through Keith Buell, which reframed the entire premise. “Verified callers should not need to cycle numbers,” it argued. “The entire rationale for number cycling by legitimate callers is that their numbers accumulate negative analytical scoring they cannot control or correct. A healthcare system calling from a verified, registered number does not need to cycle through numbers to avoid spam labels. It needs the infrastructure to establish, maintain, and deliver its verified identity.” That ties the cycling problem directly to the branded-calling/KYC franchise — and Numeracle went on to spell out the KYC/KYUP architecture it wants: every call should clear KYC “that reaches to the actual entity itself that has its finger on the dial button,” with KYUP done on everyone upstream. CTIA, through Sarah Leggin, leaned on the same toolkit, pointing the Commission at “a multilayered approach that includes implementation of the STIR/SHAKEN call authentication standard, robust Know Your Customer (‘KYC’) practices,” and RCD-based branded calling — its own Branded Calling ID, “which leverages STIR/SHAKEN to give consumers more information about who is calling and why.” Bandwidth (Tamar Finn, Greg Rogers) made the forward-looking version of the argument: adopt “a forward-looking numbering framework aligned with the realities of IP interconnection,” and “less desirable behaviors, such as number cycling, will be diminished” as STIR/SHAKEN signaling, Rich Call Data, and traceback mature together.

Inteliquent, through Ronald Del Sesto, contributed the week’s sharpest piece of compliance arithmetic, on the NPRM’s per-OCN foreign-ownership certification proposal: requiring a separate perjury-backed certification for each of 177 operating company numbers in one corporate family “produces burden without information. The Commission learns nothing from the 177th identical attestation that it did not learn from the first, while the certifying officer’s exposure scales 177-fold for what is, in substance, one statement.” Against this nearly uniform skepticism, the support came from outside the carriers. The eight-association financial bloc led by the ABA’s Jonathan Thessin — AFSA, America’s Credit Unions, BPI, CBA, the Electronic Transactions Association, the Financial Technology Association and others — told the Commission that “[f]raud continues to be a pervasive problem” and welcomed the proposals aimed at the spoofing pipeline, the mirror image of last week’s onshoring split where the same trades wanted the anti-fraud pieces finalized and the rest dropped.

Nineteen members of Congress, and the AI-voice subtext

On Wednesday the proceeding picked up a political endorsement. A letter from nineteen House members — Michael Lawler, Tim Moore, Dan Meuser, María Salazar, Zach Nunn, Young Kim, Ann Wagner and a dozen others — wrote “in strong support” of the numbering NPRM and, unlike most of the record, came down squarely for the cycling restrictions: “We strongly support the Commission’s proposed restrictions on number cycling and urge that they be adopted with clear, enforceable standards.” The letter is worth reading for its framing of the stakes — “Americans reported approximately $15.9 billion in fraud losses in 2025, the highest amount ever recorded, with phone calls representing the contact method for nearly 20 percent of all fraud reports” — and for naming the threat the docket mostly talks around: “Criminals now use AI-powered voice cloning to make bank impersonation calls nearly indistinguishable from the real thing, and exploit ‘number cycling’ — rapidly rotating through large blocks of phone numbers — to evade detection.” Their ask beyond the rule itself is an interagency one: formalize coordination with Treasury and the financial regulators, since “[r]obocall-driven scams almost always culminate in financial transactions.”

The KYC docket draws its first serious identity-vendor comment

The verified-identity machinery is being built one docket over, in the Enhancing Know-Your-Customer Requirements FNPRM (FCC 26-27, CG 17-59/02-278), and this week it drew a comment worth the full read. iProov, a biometric identity-verification vendor, filed to tell the Commission that the threat model has already moved past the rules being written. It documented “a rapid escalation in injection attacks, including a 741% increase in iOS-targeted injection attacks in late 2025,” and cited its own research finding that “only 0.1% of human participants could accurately distinguish real from fake content across all stimuli” — the case against manual or live-video KYC review in a single number. Its policy ask is specific and standards-forward: align KYC guidelines with “NIST SP 800-63-4 Identity Assurance Level 2 (IAL2),” mandate third-party certifications (FIDO Face Verification, ISO/IEC 30107-3 for presentation-attack detection, CEN/TS 18099 for injection-attack detection), and condition any safe harbor on those testable benchmarks rather than on “ambiguous terms such as ‘banking-level security.’”

Two threads in the iProov comment are worth flagging for where this is heading. First, on privacy and the proposed four-year retention mandate, it pushes the Commission toward decentralized credentials — “the W3C Verifiable Credentials Data Model 2.0” with BBS+ signatures for selective disclosure, so a provider can “mathematically prove” a subscriber was verified to IAL2 “without the OSP absorbing the material financial and operational risks of centrally storing the raw identity data.” That is verifiable-credentials infrastructure being proposed as the answer to a robocall-KYC retention problem, which is exactly the convergence this section keeps watching. Second, iProov frames the whole enforcement design around incentives, citing the Commission’s “$4.5 million Notice of Apparent Liability against Telnyx LLC and the $1 million consent decree with Lingo Telecom LLC” as proof that “self-regulation and a reliance on positive intent has failed.” The comment also surfaced as actual consumer sentiment: a visible mini-wave of individual CG 17-59 filers turned up this week with attachments named “FCC_KYC.txt” and “burner_phones.docx,” civilians weighing in on the same proceeding. And Numeracle, in a footnote to its numbering comment, gave the synthetic-actor problem its driest articulation: its description of a scammer’s manual workflow “could soon be out of date as AI proliferates. Perhaps in the future, a scammer need only use agentic AI and enter ‘Devise and execute a scam’ as the prompt. Perhaps that has already happened.”

Honorable mentions

A coordinated trio of petitions for reconsiderationCin-Q Automobiles, Anderson + Wanca itself, and Career Counseling, all through Glenn L. Hara — landed Thursday in CG 02-278/05-338/25-307, contesting the Commission’s housecleaning order dismissing “Outdated or Otherwise Moot Robocalls Petitions.” These are junk-fax plaintiffs whose long-pending TCPA and Junk Fax Prevention Act petitions got swept into that dismissal; the reconsideration cluster is a bid to pull them back out, and worth a glance for anyone tracking how the Commission’s old-petition backlog gets cleared.

Looking ahead

The numbering NPRM now turns to replies, and the line to watch is whether the near-unanimous opposition to a single-level resale limit holds, or whether the financial trades and the congressional letter’s “adopt the cycling restrictions” position pulls the Commission toward a split-the-difference rule that keeps multi-level resale but tightens cycling and NRUF reporting. The Enhancing KYC docket is the one to keep a hand on — iProov’s standards-and-safe-harbor framework is the most concrete vendor proposal the proceeding has drawn, and reply comments will show whether the carriers engage with IAL2 and certified injection-attack detection or treat KYC as a checkbox. CSRIC X holds its first meeting on June 23, where the tenth council’s working-group assignments will signal which security and reliability problems the Commission wants studied next. And on 18-89, expect the rip-and-replace recipients granted extensions this week to start filing the enhanced progress reports their conditional grants now require.