THE FCC PROPOSES SWEEPING CHANGES TO KNOW-YOUR-UPSTREAM-PROVIDER AND STIR/SHAKEN REQUIREMENTS
In the most sweeping revisions since adoption of STIR/SHAKEN, the FCC is proposing substantial new obligations on downstream providers’ due diligence of providers that send them traffic, and an expansion of STIR/SHAKEN obligations. In light of the substantial detail in the FCC’s proposals, CCA strongly encourages providers to review the proposal, which can be found here. In the words of the FCC, this is an “ambitious” proposal.
KYUP PROPOSALS
The FCC proposes a set of five baseline due diligence measures that voice service providers must perform on upstream providers. The FCC proposes that providers (1) collect, (2) review, (3) verify, (4) monitor and (5) respond to a set of detailed information on directly connected upstream providers. To be clear, providers serving end users must be prepared to collect the requisite information and make it available to all directly connected downstream providers. All intermediate and terminating providers must collect and verify the proposed information for all directly connected upstream providers and be prepared to cut off service if the information is not forthcoming or red flags appear during subsequent monitoring.
An addendum at the end of this alert provides the proposed specific information or actions for each of these five categories of “baseline measures.” These steps must be performed (a) before entering into a service agreement with a new upstream provider; (b) before renewing or renegotiating an agreement with an upstream provider that has an existing service agreement; and (c) at any other time the voice service provider finds, receives, or is made aware of information or evidence concerning an upstream provider, such as through the proposed monitoring practices.
Providers may either collect and verify this information themselves, using mechanism of their own choosing, or rely on third parties. The FCC specially notes CCA’s suggestion to use independent, accredited third parties. The FCC proposes that providers retain the information for four years. The specific requirements for each of the five basic measures are set forth at the end of this alert.
STIR/SHAKEN PROPOSALS
The FCC believes that STIR/SHAKEN is not working as intended. It notes, for example, the prevalence of erroneous A-level attestations on illegally spoofed calls, the intentional use of TDM networks to avoid STIR/SHAKEN obligations, and the practice of some foreign providers to deploy a nominal US presence so as to be treated as a domestic provider. The FCC also acknowledges a so-called knowledge gap where the originating providers does not serve the end user directly and/or is not the provider of telephone number used in the caller ID. The FCC proposes revisions applicable to originating providers, establishes a new category of initiating providers, and imposes new authentication obligations on intermediate providers.
Among the proposals to address these concerns, the FCC proposes:
- To impose additional obligations on the STI-governance authority to more carefully vet providers eligible for SPC tokens (using some or all of the proposed KYUP obligations); to review and more carefully accredit certification authorities; and be more proactive in suspending voice providers that fail to comply with SPC token polices.
- To require all voice service providers that directly serve end-users to make attestation level determinations (even if they are not originating providers) and to require originating providers to utilize those attestations.
- For an originating provider to satisfy the requirement that it have a direct, authenticated relationship with the customer associated with the call and be able to identify the customer, it must satisfy any KYC or KYUP requirements established by the Commission.
- For an originating provider to establish a verified association with the number, the originating provider must either provide the telephone number of utilize delegate certificates.
- To prohibit voice service providers from willfully assigning attestations that are higher or lower than permissible under the STIR/SHAKEN standards and any rules the FCC establishes.
- To define a “foreign voice service provider” as a voice service provider that was created, incorporated, or organized outside of the United States, regardless of whether it has an office, operation, or facilities in the United States.
- To (1) prohibit voice service providers from intentionally routing calls over TDM networks in order to strip authentication information; (2) require that providers block unauthenticated SIP calls transmitted directly to them (except public safety calls); and (3) require that all intermediate providers authenticate any unauthenticated non-SIP calls they receive.
- To find that unauthenticated SIP calls are unlawful.
- Expand gateway providers’ mitigation obligations to any illegal foreign-originated call, not just those using a NANP number in caller ID.
These are brief summary of the STIR/SHAKEN proposals. The FCC also proposes to clarify or adopt a number of definitions and practices. CCA members again are encouraged to review the FCC’s notice.
ENFORCEMENT, REPORTING AND IMPLEMENTATION DEADLINES APPLICABLE TO KYUP AND STIR/SHAKEN
The FCC proposes a $2500 per call base fine for failure to follow KYUP requirements and a $1000 per call fine for improper attestations or violating new rules around unauthenticated calls. It also proposes a $2500 base fine, on a continuing violation bases (e.g., each day) for failure to implement STIR/SHAKEN.
The FCC proposes that voice service providers report to the FCC or STIR/SHAKEN governance authority any providers they reasonably believe are or may be transmitting illegal calls.
The FCC proposes that the rules become effective the later of 12 months after Federal Register publication of a Report and Order adopting the rules or 30 days after approval by the Office of Management and Budget (OMB) for rules that contain new or modified information collections.
Next Steps.
Initial comments on the FCC’s proposals are due August 10, 2026 and reply comments are due September 8, 2026. In light of the significant effects the proposed rules will have on CCA members, CCA anticipates filing comments and seeks your input. Please let CCA know if you have specific concerns or recommendations regarding the proposed rule changes.
Finally, the FCC, in a separate notice, has also released certain proposed changes to the robocall mitigation database (RMD) that relies heavily on the KYUP and STIR/SHAKEN proposals summarized in this alert. The comments dates for those proposed rules have not be set. CCA intends to provide a separate alert on the proposed RMD revisions.
PROPOSED KYUP REQUIREMENTS
Below we provide detailed information on the proposed new KYUP requirements for voice service providers.
Information To Be Collected:
- General business information, including:
- legal business name and supporting records (e.g., government record, government identification, lease, utility statement, search result from a government website, or report from a legitimate private database that validates company information);
- any prior business names or trade names (DBAs) the company has used in the last three years;
- a physical address that is a real place of business for the upstream provider and is not a virtual address, shared office location without a dedicated suite or floor, P.O. Box, mail forwarding service, hosted server location, registered agent, or address shared by multiple unrelated or purportedly unrelated businesses; and
- contact information, including a business telephone number and email address;
- Financial information, including: billing address, forms of payment, financial institution, and account information;
- Internet commercial presence information, such as website, social media, or apps;
- Ownership and affiliate information, including:
- information about human principals, owners, and company leadership (including ultimate beneficial owners and authorized business representatives), including their name, title, business telephone number, business email address, work address, country of residence, citizenship, and copies of government issued identification;
- information about the company’s parents, affiliates, and subsidiaries, including their business names, trade names (DBAs), place of incorporation, and principal places of business; names, addresses (including country), email addresses, and ownership stake for all individuals with 10% or more direct or indirect ownership of the company; and
- whether or not the provider or its parents, affiliates, subsidiaries, principals, owners, or leadership, and other companies where any such persons have served as a principal, owner, or leader, have been the subject of any criminal or regulatory investigations or actions in the past five years and the nature of such investigations or actions.
- Operational information, including:
- place of formation and corporate formation records, including proof of good standing;
- location of its principal operations, how long the company has been operating, and whether the company has any foreign ownership or management;
- business registration number in its jurisdiction (such as federal or state Employer Identification Numbers (EINs) for United States providers and the foreign-equivalents for foreign providers); and
- registered United States agent (if the provider has one).
- Service information, including:
- information about the nature of the upstream provider’s operations, including the types of services it offers, the types of customers it serves or intends to serve, and whether it relies on non-Internet Protocol (IP) technology; and
- whether another voice service provider has refused or discontinued service to the upstream provider.
Compliance Review:
The FCC proposes to require that voice service providers perform due diligence of upstream providers’ compliance with Commission rules related to the provision of service by:
- confirming the upstream provider has a filing in the RMD and reviewing the filing (including the robocall mitigation plan) to generally assess whether it is complete and compliant with Commission rules;
- confirming the upstream provider has obtained an SPC token if it certified in its RMD filing that it has fully or partially implemented STIR/SHAKEN;
- determining whether the upstream provider appears on the Foreign Adversary Control System or the Covered List;
- determining whether the upstream provider has been subject to a Commission action revoking a Commission license; and
- determining whether the upstream provider has been the subject of any other final or preliminary Commission enforcement actions
In addition to these mechanisms, the FCC proposes that providers should evaluate an upstream provider’s traceback history, including whether the upstream provider was the source of any tracebacks or failed to respond to any traceback requests. Additionally, providers should also try to ascertain, beyond just a general provision in a contract, whether an upstream provider actually has mechanisms in place to ensure its own customers, upstream providers, clients, employees, and contractors comply with federal and state laws and regulations concerning unlawful calls, including any KYC and KYUP requirements established by the Commission.
Information Verification
The FCC proposes to require that voice service providers conduct at least a basic level of due diligence to verify the validity and authenticity of an upstream provider, the information voice service providers obtain from or about an upstream provider, and the upstream provider’s explanation for any information it could not produce, including:
- confirming any telephone numbers and email addresses are active;
- participating in a verbal communication with one or more natural person principals, owners, or company leaders;
- conducting general research to identify risk factors or contradictory information, such as:
- whether the physical address provided by the upstream provider represents a real place of business associated with the provider and is not a virtual address, shared office location without a dedicated suite or floor, P.O. Box, mail forwarding service, hosted server location, or an address shared by multiple unrelated or purportedly unrelated businesses;
- whether there is contradictory information concerning the upstream provider’s place of business, such as evidence the company is based outside the United States, including whether the company’s IP address is associated with a foreign country or otherwise does not match the location information provided;
- whether the principals, owners, and leadership of the upstream provider exist as natural persons;
- whether there is any information that contradicts an upstream provider’s claims about prior criminal or regulatory investigations or actions;
- whether there is other evidence that raises questions about the upstream provider’s legitimacy or reputation, such as a lack of digital presence for a purportedly established company; and
- whether the upstream provider is owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;
- reviewing the upstream provider’s Internet commercial presence information to identify risk factors or contradictory information, such as:
- excessive spelling and grammatical errors, being created recently, apparent copying of another company’s website, apparently fake customer reviews, or use of fake photos for leadership and listed employees (e.g., stock photos, potentially AI-generated photos, or photos of persons with no relationship to the provider); and
- whether it contains information that contradicts the information supplied to the provider, including, but not limited to, different contact information, different leadership, or an inconsistent description of the nature of the services and types of customers served;
- conducting a basic comparative analysis of the information to identify inconsistencies in the information or consistencies with information concerning other upstream providers, such as:
- different business names, addresses, contact information, email addresses or website domains, and individuals involved with the company;
- similarities with other current or former upstream providers purportedly operating as unrelated entities, which may indicate the upstream provider is replacing a provider whose calls were being scrutinized or blocked; and
- evaluating an upstream provider’s financial information to identify risk factors, such as untraceable forms of payment (e.g., cryptocurrency or prepaid credit cards).
KYUP Monitoring:
To protect against bad actor providers who successfully circumvent initial KYUP vetting, the FCC proposes to require that voice service providers implement the following baseline
KYUP monitoring obligations:
- regularly checking the upstream provider’s compliance with Commission rules related to the provision of service, consisting of whether the upstream provider no longer has a filing in the RMD, has had its SPC token revoked, has been added to the Foreign Adversary Control System or the Covered List, has had a Commission license revoked, or has become the subject of any other Commission enforcement actions;
- using call analytics on an ongoing basis to identify illegal or suspect calls or call patterns from each upstream provider, including whether the upstream provider is transmitting calls from a further upstream provider that the voice service provider knows no longer has a filing in the RMD, has had its SPC token revoked, appears on the Foreign Adversary Control System or Covered List, has had a Commission license revoked, or has been subject of a Commission enforcement action that denies its ability to provision voice service;
- evaluating on a timely basis information or evidence it finds, receives, or is made aware of that an upstream provider is transmitting illegal calls, failing to authenticate calls, or authenticating calls with improper attestations;
- evaluating on a timely basis whether any information or evidence it finds, receives, or is made aware of presents inconsistencies with other KYUP information obtained from or about the upstream provider, such as that:
- the upstream provider or its employees are operating outside the United States, or its calls are originating outside the United States when it claimed it is a domestic provider;
- the upstream provider’s calls are originating in the United States when it claimed it is a foreign provider;
- the upstream provider is providing different types of service or serving different types of customers than what was described;
- the upstream provider’s calls are sent over non-IP technology when the upstream provider did not specify it uses such technology; and
- evaluating on a timely basis any other new information or evidence it finds, receives, or is made aware of concerning the upstream provider’s reputation, such as a refusal or discontinuance of service by another provider.
Responsive Actions:
The FCC proposes to require that voice service providers perform a holistic, totality-of-the-circumstances evaluation of each upstream provider based on the information collection, information verification, compliance review, and monitoring measures described above and
implement measures to refuse or discontinue service:
- when the results do not form an objectively reasonable basis for concluding that the upstream provider is a valid and authentic entity;
- when the results form an objectively reasonable basis for concluding that an upstream provider is likely to use or is using the network or services of the provider with the KYUP obligation to transmit illegal calls or enable the transmission of illegal calls;
- when the upstream provider does not have a filing in the RMD, transmits calls in IP but does not have an SPC token, appears on the Foreign Adversary Control System or Covered List, has had a Commission license revoked, or has been the subject of any other Commission enforcement actions that deny its ability to provision voice service; and
- when the provider finds, receives, or is made aware that an upstream provider does not have mechanisms in place to ensure its customers, upstream providers, clients, employees, and contractors comply with federal and state laws and regulations concerning unlawful calls, including any KYC and KYUP requirements established by the Commission.
To support providers taking responsive action, we propose that providers will receive a safe harbor from liability under the Act or Commission rules for objectively reasonable decisions to refuse or discontinue service.
The FCC also seeks comment on the availability of the various types of information that must collected and verifies.