The TRACED Act reads that Congress’ intent is “To deter criminal robocall violations and improve enforcement of section 227(b) of the Communications Act of 1934, and for other purposes.” The Commission was directed to “revise or replace the call authentication framework sunder this section if the Commission determines it is in the public interest to do so” based on its assessment. Numeracle agrees with the Commission’s approach of evaluating STIR/SHAKEN based on its effectiveness in authenticating the identity of the calling party. Therefore, theCommission should revise its rules to require customer due diligence and know your customer requirements for originating service providers and request Congress extend its authority to authenticated caller information presentation providers.
While Numeracle agrees with the Commission that it is difficult to measure results when the adoption of STIR/SHAKEN is incomplete, STIR/SHAKEN has represented an important leap forward in establishing a carrier to carrier framework (see Figure 1) for verification and transmission of critical information over the pathway of a call. The infrastructure ofSTIR/SHAKEN is a critical milestone in the TRACED Act’s mission to detect and mitigate illegal robocalls.
Fraud is not solved through a technical solution. STIR/SHAKEN is the technical solution for the pathway to deliver authenticated caller information. Combatting fraud requires additional guidance from the FCC for the customer onboarding process through customer due diligence practices. For consumers to realize the benefits of authenticated caller information the presentation of this information must be a requirement from the FCC on those parties involved with caller authentication presentation.
Without action by the FCC to address these two critical gaps, the most the FCC can achieve, and Congress can expect is authenticated calls between carriers. Fraudulent calls will continue to be delivered to consumers and consumers will remain exposed and unaware of fraudulent attacks (see Figure 2). In short, the efforts by Congress will have been neutered.
The TRACED Act and Title II gives the Commission the authority to establish rules requiring service providers to implement know your customer and customer due diligence to ensure fraudulent actors cannot exploit the caller authentication framework. Today, voice service providers employ wildly different processes and procedures for the performance of know your customer and customer due diligence actions. These differences erode the trustworthiness and therefore the effectiveness of STIR/SHAKEN call signatures.
There are no rules, guidance, monitoring or enforcement for service providers to establish effective know your customer (“KYC”) principles and customer due diligence (“CDD”).
In reviewing Robocall Mitigation Plans (RMPs) filed by providers in the RMD, Numeracle found a wide variety of statements from providers as to their KYC processes, ranging from:
RMPs are only available for providers that have not asserted that they have fully implemented STIR/SHAKEN, limiting the scope of instances in which intermediate service providers or the Commission can utilize published RMP information for the purpose of evaluation of a current or potential service provider customer. Numeracle agrees with the state attorneys general, USTelecom, INCOMPAS, and the Cloud Communications Alliance, that theCommission should require all service providers to submit a detailed RMP regardless of their STIR/SHAKEN implementation status4.
The disparity between service providers’ KYC policies often places the teams responsible for customer due diligence in the difficult position of having to create processes and policies from scratch without a sense of what is acceptable or required. Illegal callers can easily take advantage of the chaos, shopping among hundreds of available service providers to find those with vulnerabilities or the most permissive onboarding processes and sharing that knowledge with others. Some service providers have no KYC function at all, and many perform some validation actions but have no full-time staff members dedicated to performing KYC reviews.
The financial industry took the approach of setting rules for customer evaluation, reporting requirements for customer activity, and establishing clear methodologies for how institutions would be evaluated and, if necessary, sanctioned5. Enforcement actions from the FinancialCrimes Enforcement Network (FinCEN) target institutions it alleges are not appropriately adhering to rules regardless of the institution’s size or what proportion of the institution’s overall transactions are of potential concern. This approach further reinforces the focus not on identifying and culling the worst actors but on setting a universal standard and expectation to which all providers must adhere thus eliminating loopholes to be exploited by bad actors.
Numeracle requests the Commission establish similar rules from the financial industry forKYC and CDD to ensure fraudulent actors do not gain access to the caller authentication framework through originating service providers. Know your customer should encompass the identity, intent, and usage of a customer as required to effectively service the customer’s account, apply appropriate treatment to the customer’s traffic, and comply with applicable laws, regulations, and rules. Customer due diligence should include the use of reasonable diligence, regarding the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer needed to achieve KYC goals. For the purpose of these comments, KYC refers to the general roles and responsibilities of customer validation, and CDD to refer to the actions, policies, and systems used to perform customer validation6.
The Commission should look to the existing rules as established by FinCEN for customer due diligence and anti-money laundering programs7. FinCEN summarized its overall customer due diligence requirements as follows:
“The CDD Rule has four core requirements. It requires covered financial institutions to establish and maintain written policies and procedures that are reasonably designed to:
FinCEN has also established guidance on conducting due diligence for institutions managing correspondent accounts9 maintained on behalf of foreign financial institutions10, with correspondent accounts in many ways mirroring intermediate provider or reseller relationships found in the telecom space.
The Commission should adopt the same approach of 1) mandating that service providers establish and maintain written, risk-based policies and procedures for customer due diligence, and 2) outlining the specific outcomes that these policies and procedures should be designed to achieve. The Commission should address the applicability of rules to accounts opened by legal entities versus accounts opened by private individuals and any differences in responsibility depending on whether the service provider is acting as the originating service provider versus an intermediate service provider.
By establishing clear and uniform requirements and outcomes for customer due diligence, the Commission can help to mitigate customer confusion and the pressure for service providers to reduce diligence standards currently caused by unclear requirements and widely disparate customer onboarding practices.
The Commission could help mitigate potential costs of KYC and CDD by supporting solutions that would provide all qualified service providers free access to publicly available, verified data on service providers and business entities. The Commission could also create safe harbor protections for the sharing of information between qualified service providers. Business entities should not be required to have their information qualified multiple times if they are willing to have their information published to a registry of this nature. Embedding this validated information into a customer onboarding flow could even improve a customer’s experience.
To ensure the information standards are high and maintain maximum trust theCommission should require the use of frameworks for business entity authentication that have existing regulatory backing and oversight such as the Global Legal Entity Identifier Foundation’s(GLEIF) existing system to use Legal Entity Identifiers (LEI), which is “driven by the Group of 20 and the Financial Stability Board (FSB). Created by the FSB in 2014, GLEIF is a supranational, not-for-profit organization tasked to manage the only open, non-proprietary legal entity identification system designed as a public good.”11 In embracing the use of the LEI system, theCommission would be joining the Securities Exchange Commission, U.S. Customs and BorderProtection, the Department of the Treasury Financial Crimes Enforcement Network (FinCEN),and Congress in the Dodd-Frank Act in proposing the use of a streamlined and accepted central company identifier12. In its white paper, “Envisioning Comprehensive Entity Identification for the U.S. Federal Government” GLEIF states that “The FCC currently uses one main code to track its registrants: the FCC Registration Number, or FRN.
The FRN was originally designed as a login credential, tied to individuals who file certain types of reports with the FCC on behalf of their companies. The FCC has worked to create a structure that allows for multiple employees, each with their own login, to be associated with a single entity, like one associated with a taxpayer identification. However, complicated corporate structures, for example from corporate mergers and holding company arrangements, still result in difficulty in associating related entities.” They further state that “we believe that the Federal Communications Commission(FCC) could consider LEI adoption or mapping.
The FCC currently uses one main code to track its registrants, the FRN. However, as we discussed earlier in this paper, the FRN is limited in its ability to associate related entities. Internally, the FCC has occasionally worked to map variousFRNs to their parent companies, but there is no automated or ongoing system in place to do so.”13 Use of the LEI system would allow the Commission and the communications industry to build upon existing entity validation frameworks to effectively authenticate service providers and calling parties for use in KYC processes as well as potentially in call authentication itself.
Based on its assessment, the Commission should request Congress to extend its authority to authenticate caller information presentation providers. Authenticated caller information presentation provider refers to the entity in the terminating network which provides calling party information, including verification of call authentication information, and analytics advice of risk, and the information to display to the called party.The display of authenticated caller information to consumers is critical to restoring consumer trust in communications. Even if calls are appropriately signed and call information is transmitted through the terminating service provider, the display of authenticated caller information is governed by the operating software installed on the device of the call recipient.
In testing the call recipient experience following Apple’s update to iOS 16 for iPhone devices, Numeracle found that as part of its software update Apple had reduced the prominence of verified calling party name information to consumers14. Caller name information is now displayed much less prominently on the incoming call screen and is no longer displayed at all in the missed call log of smartphone devices running iOS 16. As of June 2022, Apple iPhones have achieved over 50 percent of the US market share for smartphone devices, making Apple’s treatment of call authentication information incredibly influential to US consumers’ experience of the effectiveness of STIR/SHAKEN15.
Regardless of the efforts by the Commission, Congress, and voice service providers to implement call authentication via STIR/SHAKEN, Apple (and for Android devices, Google), are key stakeholders and gatekeepers to the appropriate implementation and display ofSTIR/SHAKEN data to consumers. Without their cooperation, the TRACED Act is rendered ineffective.
Current STIR/SHAKEN rules do not provide a method for the calling party’s identity to be embedded by an originating service provider and transmitted to the terminating service provider or the call recipient. The current STIR/SHAKEN frameworks could be enhanced to allow participating callers and their originating service providers to embed the calling party’s identity into a call on a voluntary basis. The Commission should encourage the creation of standards that would allow the originating service provider to embed the authenticated identity of the calling party into a call. The Commission should mandate that intermediate and terminating service providers preserve and transmit the calling party’s identity information to the call recipient.
Embedding the calling party’s identity in the call information would enhance terminating providers’ ability to perform effective call analytics by allowing the tracking of call activity of a single calling entity across all calling phone numbers. Embedding calling party information could be adopted as a voluntary service enhancement, removing any concern of potential delays to current STIR/SHAKEN implementation timelines. Originating service providers would be incentivized to perform customer due diligence sufficient to obtain a legal entity identifier (LEI)for their customers for purposes of embedding calling party information. Legal callers would benefit from expanding their ability to self-identify to consumers, and consumers would benefit from increased identification of calling parties which would in turn enhance consumer trust in communications. Finally, this information could be of great benefit to the Commission and other law enforcement agencies in monitoring the sources of call traffic.
The Commission should task a working group such as the Call Authentication Trust Anchor(CATA) working group with the creation of standards and best practices for embedding calling party information. To guard all service providers including terminating service providers against liability for such information, the Commission should specify that originating service providers are solely responsible for ensuring that calling party information is accurate and mandate that intermediate and terminating service providers transmit calling party information unaltered unless a call is otherwise blocked based upon existing call analytics frameworks16. TheCommission should also ensure that providers of operating systems for mobile devices are given oversight on ensuring that calling party information is displayed to consumers.
Numeracle believes that the Commission’s leadership and collaboration with service providers to implement STIR/SHAKEN represents a foundational achievement in the effort to combat illegal phone calls. Responsibly proliferating functional and technical changes in an industry as critical to American consumers and businesses as communications will take time, but the result will be a framework upon which the telecommunications industry can build and enhance. Congress and financial regulators have been building upon anti-money laundering legislation and oversight programs since 1970 through the present day, and Congress should expect call authentication programs to combat illegal calls will require an ongoing effort of incremental progress and adaptation in response to changing fraud trends and new and different technologies17.
The Commission should emphasize to Congress the importance of STIR/SHAKEN and call authentication while identifying the next stages of enhancements needed to call authentication. Numeracle believes that the Commission should focus its efforts on closing gaps to provide an end to end caller authentication framework which includes establishing rules forKCY and CDD and requesting Congress to expand its authority to regulate authenticated caller information presentation providers. The Commission should issue mandates aimed at improving service providers’ KYC practices and thereby service providers’ call authentication practices through the issuance of specific guidance on how customer due diligence should be conducted, drawing upon existing regulations from the financial industry. Numeracle recommends that theCommission require all service providers to submit descriptions of their KYC practices sufficient to meet the Commission’s guidance as part of a Robocall Mitigation Plan, and further recommends that the Commission explore opportunities for reducing the costs of KYC to service providers through the adoption of legal entity identifiers. Lastly, the Commission should mandate that intermediate and terminating service providers preserve and transmit calling party identity information to call recipients. This will allow originating service providers to embed and transmit calling party information via the STIR/SHAKEN framework to achieve end to end benefits.
Through these enhancements, the Commission may capitalize on the achievements and learnings of STIR/SHAKEN and ensure the framework’s ongoing success in combatting illegal calls.
Founder and CEO
VP of Trust Solutions
7918 Jones Branch Drive
McLean, VA, US 22102
October 3, 2022
4 See, e.g., Fifty One State Attorneys General Reply Comments, CG Docket 17-59, WC Docket No. 17-97, at 3 (filedSept. 16, 2022); USTelecom Reply Comments, CG Docket 17-59, WC Docket No. 17-97, (filed Sept. 16, 2022); INCOMPAS Reply Comments, CG Docket 17-59, WC Docket No. 17-97, (filed Sept. 16, 2022); CloudCommunications Alliance Reply Comments, CG Docket 17-59, WC Docket No. 17-97, (filed Sept. 16, 2022).
6 This language is an adaptation from the Financial Industry Regulatory Authority (FINRA) Rule 2090 (Know Your Customer). https://www.finra.org/rules-guidance/rulebooks/finra-rules/2090
7 See 31 U.S.C § 5318(h) and 31 CFR § 1010.210 for anti-money laundering program requirements, and, as applied to specific financial institutions, in 31 CFR §§ 1020.210, 1021.210, 1022.210, 1023.210, 1024.210, 1025.210, 1026.210,1027.210, 1028.210, 1029.210, and 1030.210.
8 Information on Complying with the Customer Due Diligence (CDD) Final Rule, https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule. “The CDD Rule requires these covered financial institutions to identify and verify the identity of the natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts.”
9 31 CFR 1010.605(c)(1)(i), correspondent account is defined as “For purposes of § 1010.610(a), (d) and (e), an account established for a foreign financial institution to receive deposits from, or to make payments or other disbursements on behalf of, the foreign financial institution, or to handle other financial transactions related to such foreign financial institution” (A second but for these purposes fundamentally similar definition is listed in 31 CFR1010.605(c)(1)(ii)).
10 31 CFR Part 1010 Subpart F - Special Due Diligence for Correspondent Accounts and Private Banking Accounts.
11 GLEIF website, https://www.gleif.org/en
12 GLEIF, Regulatory Use of the LEI, https://www.gleif.org/en/lei-solutions/regulatory-use-of-the-lei
13 GLEIF and Data Foundation Research Report - Envisioning Comprehensive Entity Identification for the U.S.Federal Government: https://www.gleif.org/en/lei-solutions/regulatory-use-of-the-lei/gleif-and-data-foundationcomprehensive-entity-id-for-u-s-federalgovernment#
14 Numeracle, iOS 16 Update Impacts Caller Name Display on Incoming Calls, https://www.numeracle.com/press-releases/ios-16-update-impacts-caller-name-display-on-incoming-calls
15 Engadget, iPhone Overtakes Android in US Market Share, https://www.engadget.com/iphone-overtakes-android-usmarket-share-223251196.html
16 Terminating service providers would retain existing capabilities to block calls based upon a belief that a call is likely illegal.
17 FinCEN, History of Anti-Money Laundering Laws, https://www.fincen.gov/history-anti-money-laundering-laws.FinCEN, Administrative Rulings, https://www.fincen.gov/resources/statutes-regulations/administrative-rulings.