Week ending June 26, 2026
The comment deadline on the Enhancing Know-Your-Customer Requirements FNPRM landed Thursday, and the entire identity-and-robocall ecosystem filed at once — banks, carriers, identity vendors, competitive providers, domestic-violence coalitions, and the EFF, all into CG 17-59/02-278 on June 25. It is the most complete snapshot we have had in a while of who wants what out of upstream identity, and the record splits along three main axes: the financial sector and the identity vendors want the Commission to mandate more and price violations harder; the carriers want to keep the flexible standard they already operate under; and the privacy bar wants the Commission to remember it is about to build a database of every caller in America. Cutting across all three is the numbering-administrator view that none of it works unless the check attaches to the number itself.
The KYC comment deadline splits the room three ways
Start with the camp that wants the rules tightened, because it filed the most coordinated record. The American Bankers Association led an eleven-organization financial coalition — ACA International, the American Financial Services Association, America’s Credit Unions, the Bank Policy Institute, the Consumer Bankers Association, the Defense Credit Union Council, the Electronic Transactions Association, the Financial Technology Association, the Mortgage Bankers Association, and the Student Loan Servicing Alliance — and asked for exactly what the carriers do not want: that “the Commission Should Require Originating Providers to Collect Specific Information from Business Callers Before Allowing the Caller to Originate Calls on the Provider’s Network,” and that it “Codify a Base Forfeiture Amount” for providers that fail to take effective measures. This is the bank-impersonation problem — the costliest scam vector in the FTC’s $3.5 billion imposter-scam tally from two weeks ago — being attacked from the rulemaking side by the institutions getting impersonated. They want mandates and they want a number attached to noncompliance.
The identity vendors filed alongside them, and Numeracle wrote the comment worth reading in full. Its frame is that the Commission is finally fixing the right end of the call: “Past regulatory efforts have unfairly placed the burden of preventing fraud on terminating carriers, despite the fact that they are the least well-positioned to bear that burden because they lack the information needed to know who is actually calling and why,” and “the Commission is now rightly shifting its focus to call origination, and indeed to a point before origination, by restricting criminals’ access to telecom services in the first place.” The line that ties this docket to the Call Branding proceeding — and to where this section has been for weeks — is Numeracle’s rule for name display: “The ecosystem should not display a caller name, logo, brand, or call reason unless a trusted entity has verified that the caller is entitled to use that identity. Without KYC, branded calling could become a premium impersonation channel.” Its proposed rule is one sentence: “no name display without identity verification, whether through branded calling or legacy CNAM. Period.” That is the originating-to-terminating data path Provenant drew last week, stated as a display rule: KYC at onboarding is the thing that earns the name on the handset, and if you sell the name without the verification you have built a paid impersonation product. Numeracle also does the Commission’s privacy balancing for it — enterprises, financial institutions, healthcare systems and high-volume callers “generally have little legitimate privacy interest in concealing their organizational identity when they are calling consumers; indeed, many are paying for branded calling precisely so their identities will be delivered,” while “individuals, low-volume residential users, prepaid users, unhoused persons, domestic violence survivors, and other vulnerable populations should not face unnecessary barriers to basic communications service.” Verify by risk and volume, not across the board.
Twilio came down on the same side, supporting “the FCC’s policies to enhance the KYC obligations of originating voice service providers” and pitching its own “Know Your Traffic” overlay on top of KYC — prescriptive rules, it argued, “benefit all actors in the U.S. voice market.” That is notable because Twilio is a CPaaS platform that would have to operationalize whatever the Commission adopts, and it is asking for the prescription rather than the flexibility its trade associations are demanding.
Somos filed from a vantage neither camp quite occupies. As the administrator of the Toll-Free Number Registry and the Reassigned Numbers Database — and, as it takes care to note, an entity that “does not participate in the voice marketplace as a carrier, reseller, voice service provider, or originating provider” — it reframed the question around the number rather than the customer. Knowing the legal identity of a caller, Somos argued, “is necessary, but it is not sufficient. A provider may know the name of the entity purchasing service but still lack a reliable basis to know whether that entity is authorized to use the telephone numbers, calling name, Rich Call Data (‘RCD’), branded identity, or other caller identity information associated with its traffic.” Its proposed fix is to bind KYC to right-to-use of the number: because “numbers are a public resource and the right to use them is a conditional privilege rather than a property right, using a number to defraud, impersonate, or deceive the called party is a proper basis for restricting or revoking access to that resource.” Two of its secondary points cut usefully across the camp lines. On the FNPRM’s re-verification and records questions, Somos argued that “effective KYC is best understood as an ongoing, continuous process” rather than a document-retention exercise. And on safe harbors it took no position on whether one is the right instrument, but urged that whatever baseline the Commission adopts “favor verification whose results are represented through open, published, and interoperable standards” rather than an “opaque or proprietary process” that cannot be independently checked. That standards-neutrality argument lands on the same ground INCOMPAS stakes out against proprietary mandates, while the right-to-use framing pulls toward Numeracle’s: both are ultimately saying the onboarding check only matters if it attaches to something verifiable that travels with the call — for Somos, the authority to use the number itself.
Because the other camp filed the mirror image. CTIA wants the Commission to “maintain its current flexible approach to KYC,” to “decline to adopt a one-size-fits-all approach to business KYC,” and — if it must move — to “partner with industry to offer baseline business-facing KYC guidelines that act as a regulatory safe harbor” rather than a mandate. USTelecom put the same thesis in its section heading: “Providers Need Flexibility, Not One-Size-Fits-All KYC Mandates, To Combat The Ever-Evolving Tactics Of Illegal Robocallers,” arguing providers “are best situated to develop dynamic KYC processes.” INCOMPAS got specific about what it will not accept, urging the Commission to “reject specific proposals in the Further Notice that are operationally unworkable or harmful to legitimate customers, including mandatory IP address collection, mandatory periodic re-verification, and the proposed $2,500 per-call penalty framework as currently structured,” and to keep any framework “open, competitively neutral,” not built on “proprietary or industry-controlled solutions that create barriers for competitive providers.” That last clause is aimed squarely at the vendor camp: the competitive carriers see a verified-identity mandate as a channel for the identity vendors to sell into a regulatory requirement. NCTA, Verizon, NTCA, ACA Connects, WISPA, Voice on the Net Coalition and the Cloud Communications Alliance all filed in the same flexibility register. So the live fight is not whether to do KYC — everyone says they do it — but whether the Commission writes a mandatory floor with a per-call penalty (ABA’s “$2,500” codified, in INCOMPAS’s telling) or a flexible safe harbor.
Underneath that fight, three filers made the argument that should worry both camps: the verification method the FNPRM leans on is already breaking. Prove Identity, which describes itself as “the trust layer for 19 of the top 20 financial institutions in the United States” and says it authenticates “more than 20 billion transactions annually,” drew the banking-to-telecom comparison the FNPRM invites and put the weight on the difference between collecting and verifying: “Self-reported identification information cannot be reliably trusted in performing a KYC check on a consumer as the identification information about most consumers is already exposed. A fraudster has access to most, if not all, identification information that an originating provider would look to collect.” Its point is that “the collected information must be verified by the originating providers,” not merely gathered — which is also a direct answer to the carriers’ objection that a collection mandate is just paperwork: Prove’s position is that the paperwork is exactly the part that doesn’t work. (It also brought the week’s one substantive SIM-swap data point, citing the FBI’s IC3 2025 report — 971 SIM-swap complaints and $17.4 million in reported losses — as the kind of small-volume, high-harm vector enhanced KYC should be designed to close.) Incognia, a device-and-location-identity company, warned that “document and biometric verification are the surfaces currently under the most rapid attack,” that “generative AI has industrialized the production of fraudulent identity artifacts at a scale and quality that were not possible even a few years ago,” and — the part to file away — that the threat is moving past humans entirely: “The trajectory is already visible in agentic AI, where automated systems carrying synthetic identities open accounts and transact at scale without a human in the loop. This matters for the FNPRM’s core design choice. A regime anchored on collecting a government-ID number and matching a face to a document is built on exactly the inputs generative AI is best at” fabricating. The Better Identity Coalition made the same point from the policy side — “many of the solutions that are used in KYC are facing new attacks such as deepfakes fueled by generative AI” — while noting AI is “also enabling new solutions to guard against many of these threats.” The implication for an applied-identity reader is the one this section keeps circling: if the document-and-selfie KYC the FNPRM contemplates is the thing AI defeats most easily, the durable answer is cryptographically verifiable organizational credentials anchored to real identifiers — the architecture Provenant and Numeracle keep describing — not a bigger pile of collected ID numbers sitting in carrier databases.
Which is the EFF’s cue. The Electronic Frontier Foundation, filing with the ACLU, made the honeypot argument against precisely that pile: the approach “will create a database of personal information of every American that would be too lucrative for cybercriminals to ignore,” especially “given the telecommunication industry’s proven inability to be good stewards of data.” It tied the collection to speech harms — “anonymity in calls provides people the safety they may require to organize,” and the regime “will lead to a loss of privacy that directly harms and silences consumers, while also creating an exclusionary impact.” Set EFF next to the vendor camp and the shape of the wise answer emerges from the record itself: collect less raw PII, verify more cryptographically, and tier the obligation so the domestic-violence survivor and the prepaid user are not swept into the same mandate as the call center dialing a million numbers a day. Somos drew that line most explicitly, and in a way aimed straight at the honeypot worry — split the obligation by who is calling. An enterprise “is often identified by the very calling identity it wants consumers to see, so it can be represented relatively openly,” it argued, while “an individual consumer, by contrast, has legitimate and well-recognized privacy interests.” Its reconciliation is a custodian model: the originating provider should “act as custodian of the subscriber’s identity,” so that “the ecosystem can rely on the existence of a verified and accountable responsible party behind a call without that party’s personal information being exposed in the ordinary course.” That is the same instinct behind Numeracle’s enterprise-versus-vulnerable tiering, and Somos would draw the line on risk signals “rather than on whether a customer is prepaid or postpaid” — a calibration meant to “neither burden the consumers who depend on affordable service nor shield the fraud operation that hides among them,” with business callers conversely needing “more than a nominal corporate registration” to clear the bar. Whether the Commission can build a custodian-style scheme that EFF would actually trust the carriers to operate — given the data-stewardship track record EFF just finished citing — is the unresolved question; but the record now contains a real answer to the honeypot, not just the objection. The Nevada Coalition to End Domestic and Sexual Violence and the California Partnership to End Domestic Violence filed to make sure that tiering does not get lost.
Looking ahead
Replies on the KYC FNPRM are the thing to watch: the comment record now has a clean three-way split, and the reply round is where the carriers get to answer the financial coalition’s “mandate it and codify a forfeiture” ask, where the vendors get to answer INCOMPAS’s “don’t make us buy proprietary solutions” objection, and where someone may finally engage Incognia’s argument that the document-based verification at the center of the proposal is the part AI breaks first. The questions worth carrying into the replies: whether the carriers engage the originating-to-terminating framing that Numeracle, Somos, and Provenant keep pressing — KYC as the thing that earns the name on the handset — or whether the fight stays narrowly about per-call penalties and mandatory IP collection; and whether anyone hands the Commission a workable version of the tiered, custodian-style privacy model that would let it answer EFF’s honeypot objection rather than just absorb it. The reply deadline is the next real milestone.