appliedbits
LIBRARY  ·  Trust governance LIBRARY ENTRY
Last updated 2026-05-06 drafted

FCC current rulemaking on caller identity, KYC, and KYUP

The FCC has been steadily codifying caller-identity authentication expectations in formal rulemaking since the TRACED Act mandate took effect. Three currently-active items map the next stage of that trajectory. Each addresses a different layer of the framework — content presentation, originating-customer verification, upstream-provider verification — and together they describe a more rigorous trust regime than current rules alone support.

This page is a working summary of where each item sits, what it proposes, what it asks, and what to expect next. The items are in different stages: one adopted and in comment cycle, one just adopted and awaiting Federal Register publication, one still a draft pending Commission vote. The page evolves as items progress.

My involvement spans multiple layers of this work — substantive contributions to the comment record on these items, and ongoing participation in the earlier-stage standards forums where the underlying technical analysis happens (the IETF, ATIS, and previously the NANC CATA Working Group). The framing here is from inside that work.

The Call Branding FNPRM (October 2025)

FCC 25-76, adopted October 28, 2025, released October 29, 2025. The FCC refers to this item as the “Call Branding FNPRM” in subsequent documents — a useful informal name since the combined item touches multiple dockets and proceedings. Combined item:

  • Ninth Further Notice of Proposed Rulemaking in CG Docket No. 17-59
  • Seventh Further Notice of Proposed Rulemaking in WC Docket No. 17-97
  • Further Notice of Proposed Rulemaking in CG Docket No. 02-278
  • Public Notice in CG Docket No. 25-307

Comments were due January 5, 2026; reply comments February 3, 2026.

What it proposes

The central proposed rule, in the FCC’s own words: voice service providers must transmit verified caller identity information to a consumer’s device in instances when the provider chooses to transmit an A-level attestation to the consumer’s device. The triggering condition matters — the rule applies when the provider has already decided to convey the A-level attestation, at which point the verified caller identity must accompany it. The proposed delivery mechanism is RCD — the verified information carried in a signed PASSporT (RFC 9795, the substantive STIR working group specification). Delivery to end-user devices over the SIP UNI is the supplementary side of the architecture (RFC 9796), out of scope for the cross-network mandate the FNPRM is centered on.

The FNPRM also proposes that originating providers be required to verify that any transmitted caller-identity information is accurate before signing the PASSporT, and that intermediate providers transmit the information securely to terminating providers without alteration.

What it asks

Several substantial questions accompany the proposed rules:

  • Whether legacy CNAM should be deprecated in favor of trust-anchored identity systems capable of end-to-end authentication. The FNPRM characterizes CNAM as unauthenticated, out-of-band data that cannot provide cryptographic or authoritative assurance of identity.
  • What “caller identity information” means precisely — what fields, what verification standards, what trust anchors.
  • How to handle calls originating outside the United States, including foreign-originated calls using US numbers.
  • Whether the rules should accommodate alternative branded calling implementations or standardize on RCD as the delivery mechanism.

Why it matters for the framework

The Ninth FNPRM is the regulatory anchor for moving from SHAKEN’s network-authentication baseline (verified calling number) toward authenticated caller-identity content (verified name, branding, reason for call). It explicitly endorses RCD as the delivery mechanism for that content. The CNAM deprecation question, if answered affirmatively, would mark the formal sunset of the legacy database-lookup model in favor of cryptographically authenticated identity.

The KYC FNPRM (April 30, 2026)

FCC 26-27, adopted April 30, 2026 at the FCC’s April Open Meeting. Further Notice of Proposed Rulemaking in CG Docket Nos. 17-59 and 02-278. Follows the October 2025 Call Branding FNPRM in sequence and substance — the Call Branding item addressed what gets transmitted to consumers; the KYC FNPRM addresses what originating providers must know about who is placing the calls in the first place.

The FCC’s existing KYC rule already requires originating providers to “take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.” The KYC FNPRM seeks comment on strengthening that baseline — and, separately, proposes one specific rule: per-call penalties for KYC violations.

Awaiting Federal Register publication, which will set the comment dates. Publication timing varies — could be a couple of weeks to over a month. Initial comments will be due 30 days after Federal Register publication; reply comments 60 days after.

What it actually proposes

This is where the structural distinction matters. The KYC FNPRM proposes one rule: per-call forfeiture penalties for violations of the existing KYC rule. The proposal would tie fines directly to the volume of illegal calls associated with a provider’s failure to vet its customers, replacing the traditional per-violation penalty structure with one keyed to call volume.

The rationale: per-call penalties create stronger incentives for compliance than fixed per-violation fines, and align enforcement consequences with the scale of harm caused.

What it asks (without proposing as rules)

The FNPRM seeks comment, in the FCC’s own framing, on “customer identification requirements for new and renewing customers and requirements for originating providers to verify, retain, and re-verify customer information.” Note the phrasing — the Commission is asking what the requirements should be, not proposing them as rules. This is a structural distinction with operational consequences: industry positions filed in response to the questions will substantially shape what eventually gets proposed in a follow-on item or adopted in the Report and Order.

The specific questions cover:

  • Customer information collection. What identity attributes should originating providers be required to collect — name, physical address, government-issued ID, alternative phone numbers? Should requirements vary by service type (prepaid vs postpaid, traditional vs nomadic VoIP)?
  • Verification. Should providers be required to verify customer identity before service activation? What verification standards should apply? How should KYC interact with the STIR/SHAKEN attestation framework?
  • Re-verification. Should providers be required to re-verify customer information when red flags arise — unusual calling patterns, suspicious conduct, traffic anomalies?
  • Retention. Should KYC records be retained for at least four years after the customer relationship ends, to ensure enforcement actions can be pursued before the statute of limitations expires?
  • Risk-based differentiation. Should KYC requirements vary by customer risk profile, intended service use, or other factors?
  • Privacy and customer-friction concerns. What privacy considerations apply? How should the requirements balance compliance rigor with legitimate customer experience?

What to expect after comments

After the comment period closes, the FCC will assess the record and likely move to a Report and Order that:

  • Sets the per-call penalty rule (as currently proposed).
  • Sets additional KYC rules informed by what the comments support — the substantive collection, verification, retention, and re-verification requirements that comments endorse with adequate justification.

The structure means the comment period is unusually consequential. Industry positions filed in response to the asked questions will substantially shape what gets proposed as rules in the follow-on, and ultimately what gets adopted. Coordinated filings from industry groups, individual providers, consumer advocates, and law-enforcement stakeholders will all matter.

Why it matters for the framework

Strong KYC at originating providers is the precondition for the A-attestation strengthening that the Eighth Report and Order implied and the Ninth FNPRM extends. The attestation levels discussion notes the FCC trajectory toward enforcing what A-attestation was always supposed to mean — KYC-grounded confidence about the responsible entity, based on authenticated relationship with the endpoint. The KYC FNPRM is the FCC making that precondition operationally explicit.

If the rules eventually adopted require name + address + government ID + alternative phone before service activation, plus retention and re-verification, the KYC baseline becomes substantial enough that A-attestation can carry the trust weight the model originally placed on it. The vendor-overuse problem covered on the attestation-levels page becomes harder to sustain when KYC violations carry per-call penalties.

The KYUP FNPRM (May 20, 2026 vote scheduled)

Draft fact sheet released April 29, 2026. Scheduled for Commission vote at the May 20, 2026 Open Meeting. Further Notice of Proposed Rulemaking in WC Docket No. 17-97 and CG Docket No. 17-59.

About a month behind the KYC FNPRM in process. Once voted, will go to Federal Register; comment dates set thereafter.

Three goals stated in the draft

The draft fact sheet states three goals for the KYUP FNPRM:

  1. Cutting providers that enable robocalls out of the voice ecosystem through improved KYUP requirements and STIR/SHAKEN oversight.
  2. Raising the standards for how voice service providers apply STIR/SHAKEN attestations, so attestations are more trustworthy.
  3. Closing STIR/SHAKEN implementation loopholes that currently let some providers participate without making attestation decisions about traffic they handle.

What it proposes (a host of due-diligence rules)

In contrast to the KYC FNPRM’s narrow rule proposal plus broad question-asking, the KYUP FNPRM proposes a host of due-diligence rules. Voice service providers would be required to:

  • Collect specific information from upstream providers: general business information, financial information, ownership and affiliate information, operational and service information.
  • Perform due diligence on upstream providers’ compliance with FCC rules, including KYC and KYUP requirements, STIR/SHAKEN obligations, and traceback participation.
  • Consider traceback history — whether the upstream provider has been the source of tracebacks or failed to respond to traceback requests.
  • Refuse or discontinue service when an upstream provider may be the source of illegal calls.

The FNPRM also proposes:

  • Codifying the SHAKEN attestation levels in FCC rules — bringing A/B/C attestation criteria from the ATIS standard into formal FCC regulation.
  • Specific requirements to satisfy each attestation level, with enforcement consequences for misattestation.
  • Attestation prohibitions preventing assignment of higher levels than the underlying knowledge supports.
  • Enhanced oversight by the STI-GA of voice service provider compliance with attestation criteria.
  • Closing definitional loopholes that currently exempt some providers from making attestation decisions — requiring all providers serving end users to make attestation-level decisions for traffic they place.

What it asks

Beyond the proposed rules, the FNPRM seeks comment on:

  • Foreign-originated calls and whether further KYUP / caller-ID authentication actions should target the problematic-foreign-call problem specifically.
  • A comprehensive review of the existing STIR/SHAKEN caller-ID authentication rules to simplify, clarify, remove unnecessary redundancy, and ensure consistency.
  • Resource allocation and oversight tradeoffs — what additional resources or processes the STI-GA would need to perform expanded oversight.

Why it matters for the framework

The KYUP FNPRM is doing several things at once. The headline is upstream-provider due diligence, but the codification of the attestation levels and criteria into FCC rules may be the more consequential piece architecturally. Once attestation criteria are FCC rules rather than just ATIS standards, misattestation becomes a Commission-enforceable violation rather than purely an industry-coordination matter. That changes the operational incentives for providers’ attestation-decision practices in ways that have not yet been visible in deployment.

The loophole-closing dimension matters too. Current STIR/SHAKEN rules have implementation exemptions and definitional gaps that let some providers participate in the framework without making attestation decisions about traffic they handle. Closing those gaps — requiring all providers serving end users to make attestation-level decisions — would substantially expand the universe of traffic that gets attested decisions.

How the three items connect

Read together, the three FNPRMs map a coordinated tightening of caller-identity authentication accountability across three layers:

  • Content presentation layer (Call Branding FNPRM, Oct 2025) — verified caller identity information must accompany A-level attestations when the provider chooses to transmit them, with RCD as the proposed delivery mechanism and CNAM deprecation on the table.
  • Originating-customer layer (KYC FNPRM) — per-call penalties for KYC violations now, with substantive collection / verification / retention requirements anticipated to follow based on the comment record.
  • Upstream-provider layer (KYUP FNPRM) — due-diligence rules on voice service providers regarding the upstream providers from which they accept traffic, plus codification of attestation criteria into FCC rules.

Each layer addresses something the others can’t. The Ninth FNPRM strengthens what the called party sees and trusts. The KYC FNPRM strengthens the originating provider’s knowledge of who is actually placing calls. The KYUP FNPRM strengthens the boundary conditions on which providers can hand off traffic to each other. None of these alone is sufficient; together they describe a more rigorous accountability regime than current rules support.

The trajectory also signals the FCC’s continuing willingness to use rulemaking to close gaps that industry coordination alone hasn’t fully closed. The vendor practices that devalued A-attestation, the operational variance in how providers handle attestation decisions, the unauthenticated-CNAM problem — these are issues that have been visible in industry discussions for years. The current rulemaking trajectory makes them subjects of formal enforcement, with the consequences that brings.

What to expect next

The near-term timeline:

  • Late May 2026: KYUP FNPRM voted at the May 20 Open Meeting. Federal Register publication follows; comment dates set.
  • June-July 2026: KYC FNPRM Federal Register publication expected, comments due 30 days later, replies 60 days after that.
  • August-September 2026: KYUP FNPRM Federal Register publication expected on similar timeline.
  • Late 2026 / early 2027: Comment periods close; FCC staff analyzes records.
  • 2027: Likely Report and Orders on each item, possibly combined or sequenced. Some items may go through additional FNPRM rounds depending on what comments support.

The Call Branding FNPRM (Ninth FNPRM) is further along; its Report and Order could arrive in the second half of 2026, especially if the Commission moves to act on the verified-caller-name proposal quickly.

This page will be updated as items move through the cycle. Notebook entries linked from this page cover specific operational arguments — including whether the per-call penalty model is the right enforcement structure, whether codifying ATIS attestation criteria into FCC rules helps or hinders the framework’s adaptability, and whether upstream-provider due-diligence rules can be operationalized at the scale the ecosystem needs.

Where this fits

The three FNPRMs sit at the regulatory layer of the trust governance topic. The substantive technical analysis behind them traces through earlier work — the NANC CATA Working Group reports that informed the framework’s earlier rulemakings, the FCC Robocall Strike Force that established STIR/SHAKEN’s regulatory weight, the ATIS standards that define the attestation criteria the KYUP FNPRM proposes to codify.