Numeracle purple spoke. Copyright 2023.
Countdown Timer showing days, hours, minutes, and seconds remaining
Get Your Lowest Price on Number Rep Management!
Take advantage of our end of year promos today!
Request Promo pricing
All Articles

What Is KYUP? The FCC's Know Your Upstream Provider Proposal Explained

6 min read
Written by
Keith Buell, General Counsel & Head of Global Public Policy 
Published on
May 21, 2026
Updated on
May 21, 2026

The FCC's May 20, 2026, Open Meeting introduced a term that many voice service providers had not yet encountered: Know Your Upstream Provider, or KYUP.

For those already tracking the FCC's April 30 Know Your Customer (KYC) Further Notice of Proposed Rulemaking (FNPRM), KYUP may sound like a natural extension, and it is. But it is also meaningfully different in scope, obligation, and impact.  

Understanding the distinction between KYC and KYUP, as well as what each proposed rulemaking is requesting of providers, is essential for any voice service provider operating in the U.S. today.

This article is a plain-language explainer for voice service providers (VSPs), Voice over IP (VoIP) providers, CPaaS and CCaaS platforms, gateway providers, and other voice service providers seeking to understand what the FCC is proposing and its implications for their operations.

What Happened at the FCC's May Open Meeting?

At its May 20 Open Meeting, the FCC voted to advance a draft Further Notice of Proposed Rulemaking (FNPRM) that would establish more specific Know Your Upstream Provider requirements for voice service providers.

The May 20 vote is not a mandate. It initiates the formal public comment process. Advancing the FNPRM means the FCC is actively seeking input from the industry on what these requirements should look like before any final rules are adopted.  

From the comment period to a final Report and Order, which would carry the force of law, the timeline typically spans twelve months or more after publication in the Federal Register.

KYUP FCC Rulemaking Tentative Timeline: From initial proposal to final Report & Order, proceedings follow a structured FCC process that typically takes 12 to 24 months.
KYUP FCC Rulemaking Tentative Timeline: From initial proposal to final Report & Order, proceedings follow a structured FCC process that typically takes 12 - 24 months.

That said, the direction of travel is unmistakable. The FCC is building a comprehensive identity accountability framework for the voice network, and KYUP is a significant part of that architecture. As FCC Chairman Brendan Carr wrote in describing the May 20 Agenda:  

"KYUP takes these efforts further by making sure customers in the call path are meaningfully vetted."
— FCC Chairman Carr

What is KYUP (Know Your Upstream Provider)?

Know Your Upstream Provider (KYUP) is a proposed regulatory framework under which downstream voice service providers (VSPs) would be required to verify the identity and vetting practices of the upstream providers they connect to.  

Under current rules, the primary accountability obligation falls on the originating service provider (OSP): know who your customer is before you provision service.  

KYUP extends that obligation further along the call path. It asks: do you know who your upstream provider is? Are they doing adequate identity verification of their own customers?

The FCC's draft FNPRM frames this as closing a known gap in the existing framework. Bad actors have exploited intermediary relationships to introduce illegal call traffic by working with VSPs with minimal to nonexistent KYC practices to get their calls onto the network and then transmitted to other VSPs and eventually to the call recipient’s handset. KYUP is designed to close that gap.

Why is the FCC Proposing KYUP now?

The FCC's KYUP proposal reflects a sustained and accelerating effort to address illegal robocalls and voice fraud at every point in their lifecycle and not just at origination.

Chairman Carr framed it directly: the Commission wants KYUP to "hold providers to a higher accountability measure or to eliminate them from the voice ecosystem if they continue to facilitate illegal robocalls."

The STIR/SHAKEN framework addresses call authentication. The KYC FNPRM, adopted April 30, 2026, addresses originator identity verification. KYUP addresses the accountability gap in between — the interconnection layer where traffic from unvetted or unverified sources can enter the legitimate call path.

The FCC has signaled this direction for years. In August 2025, 185 providers were removed from the Robocall Mitigation Database for failing to demonstrate adequate compliance practices.  

The message from the Commission has been consistent: providers that cannot evidence credible identity and compliance practices risk removal from the voice ecosystem entirely.

How is KYUP Different From KYC?

Know Your Customer (KYC) and KYUP both address identity accountability in the voice ecosystem, but they operate at different points in the call path and impose different obligations. In this sense, KYUP applies the same Know Your Customer logic one step further back in the call path — the 'customer' in question simply happens to be an upstream provider rather than an end-user originator.

In this sense, KYUP applies the same Know Your Customer logic one step further back in the call path — the 'customer' in question simply happens to be an upstream provider rather than an end-user originator.

Know Your Customer (KYC)

KYC, as proposed in the April 30 FNPRM, focuses on the relationship between an originating service provider and its customers. Before provisioning voice service, an OSP would be required to collect, verify, and retain identity information for that customer.  

The FCC has proposed minimum data requirements, enhanced obligations for high-volume customers, ongoing monitoring, and risk-based re-verification when red flags arise. Critically, the KYC FNPRM proposes per-call penalty exposure for providers whose KYC practices are found deficient, which represents a significant enforcement escalation.

Know Your Upstream Provider (KYUP)

KYUP addresses a different relationship: the connection between a downstream voice service provider and the upstream provider(s) whose traffic it carries. Under KYUP, a downstream voice service provider (VSP) would be required to:

  • Collect general business, financial, internet commercial presence, ownership, and affiliate, operational, and service information from upstream providers.
  • Evaluate whether those upstream providers are conducting meaningful identity vetting of their own customers.
  • Take affirmative action with respect to potentially illegal traffic originating from upstream providers.
  • Meet new compliance evaluation and ongoing monitoring obligations

In other words: KYC governs what you know about who you are serving. KYUP governs what you know about who is serving your network when your direct customer is another VSP.

Does KYUP Apply to All Voice Service Providers?

The draft KYUP FNPRM is broad in scope. It proposes baseline expectations for all VSPs, including new information gathering obligations, compliance evaluations, due diligence requirements, and ongoing monitoring responsibilities.

The draft also proposes redefining several critical terms that would shape exactly which providers are covered, including "Voice Service," "Voice Service Provider," "Origination," "Originating Provider," "Intermediate Provider," "Gateway Provider," and "Non-Gateway Intermediate Provider." These definitional questions are among the most consequential in the entire FNPRM, and they are expressly open for public comment.

If your organization originates, carries, or interconnects with voice traffic in the United States, the KYUP FNPRM is relevant to your operations.

What Would KYUP Actually Require?

The draft FNPRM proposes that downstream VSPs collect and evaluate a range of information about their upstream providers. The categories the FCC has outlined include:

  • General business information (legal name, entity type, registration status, operating history).
  • Financial information relevant to assessing legitimacy and stability.
  • Internet and commercial presence, including whether a provider has a verifiable, active online presence.
  • Ownership and affiliate relationships, including beneficial ownership.
  • Operational information about the type of traffic originated and the intended use of service.
  • Service information relevant to understanding the scope and nature of the upstream provider's network activity.

This is not a data collection checklist. The FCC is asking downstream providers to assess whether their upstream providers are who they say they are and whether those providers are operating with appropriate accountability.  

Collecting information is a prerequisite, not a conclusion.

What Does KYUP Require Regarding STIR/SHAKEN?

The draft KYUP FNPRM also includes significant proposals related to the STIR/SHAKEN call authentication framework. Specifically, the FCC proposes to:

  • Codify the STIR/SHAKEN attestation levels established in ATIS standards and set out requirements for satisfying each attestation level.
  • Codify prohibitions on improper attestations.
  • Close loopholes in STIR/SHAKEN implementation.
  • Repeal undue hardship extensions for STIR/SHAKEN attestations, including for certain satellite service categories.
  • Adopt more significant oversight over the current STIR/SHAKEN Governance Authority (GA).

The implication is important: STIR/SHAKEN authenticates calls, but it does not verify the identity of the entity behind the call. KYUP is about extending identity accountability into the interconnection layer in a way that STIR/SHAKEN was never designed to address.

"While our STIR/SHAKEN call verification framework remains central to call blocking, tracebacks, and other mitigation measures, KYUP takes these efforts further by making sure customers in the call path are meaningfully vetted."
FCC Chairman Carr

What Does KYUP Mean for Voice Service Providers Today?

The KYUP FNPRM is in the proposed rulemaking stage. No final rules have been adopted. But the comment process is where final rules get shaped, and the direction of the FCC's thinking is already clear enough that providers should begin assessing their current practices rather than waiting for a Report and Order.

There are several practical steps providers should consider:

  1. Understand your upstream relationships. Do you have documented, auditable records of the upstream providers you interconnect with? Could you produce evidence of how those providers vet their own customers if the FCC asked?
  1. Assess your current vetting practices. The gap between data collection and identity verification is where regulatory risk lives. Providers that have treated KYC as a data submission exercise rather than a verified identity exercise are the most exposed.
  1. Follow the comment period. The KYC FNPRM comment period opens approximately 30 days after Federal Register publication, with reply comments due at 60 days. The KYUP FNPRM comment process will follow a similar timeline after the May 20 vote. Filing comments, or aligning with others who do, is the mechanism through which industry shapes final rules.
  1. Think about the call path holistically. KYC and KYUP are not two separate compliance items to manage in parallel. They are two layers of the same identity accountability framework the FCC is building. Providers who are already building robust KYC practices will find KYUP requirements far less disruptive than those starting from scratch.

Is There a Connection Between KYC & KYUP Compliance?

Yes, and this is one of the most important things to understand about the FCC's current direction.

The KYC FNPRM and the KYUP FNPRM are sequential, not separate. KYC establishes that you know who your customers are. KYUP extends accountability to whether you know who your upstream providers are, and whether those providers are doing the same.

A provider that has invested in rigorous KYC (verified identity, suitability assessment, ongoing monitoring, and auditable records) is already building the operational foundation that KYUP compliance will require. The identity work is not duplicated; it is extended.

Numeracle has been engaged on these questions since 2018, working with the FCC, with industry stakeholders, and with the OSP community to develop practical frameworks for verified caller identity in communications.  

Our KYC as a Service (KYCaaS) offering was built for exactly this environment: not as a compliance checkbox, but as an operational identity infrastructure that supports the full accountability chain the FCC is now formally proposing.

Where Does KYUP Fit in the Broader Regulatory Picture?

The FCC has described its robocall enforcement agenda as attacking illegal calls "at every point in their lifecycle." KYC and KYUP together represent the most comprehensive expression of that agenda to date.

  • KYC addresses the origination point: who is entering the voice network, and are they who they claim to be?
  • KYUP addresses the interconnection point: who is carrying traffic between providers, and have they verified the identities of those they connect to?

The proposed per-call penalty framework for KYC violations, combined with the KYUP obligation for downstream providers to take affirmative action against upstream providers carrying potentially illegal traffic, creates a genuine accountability chain across the call path for the first time.

The FCC's most recent Caller Identity FNPRM, adopted in 2025, proposed steps requiring OSPs to verify caller identity information and use Rich Call Data (RCD) to transmit it, shifting attention from number authentication to accurately and securely displaying who is calling to consumers. KYC and KYUP are the identity substrates that make accurate caller identity display possible, at scale.

Together, these rulemakings signal that the FCC is no longer focused on incremental adjustments to the robocall mitigation framework. It is building an identity layer for the voice network, and providers who are not ready to demonstrate verified, auditable identity practices at every point in the call path will face increasing enforcement exposure.

What Comes Next?

Following the May 20 vote, the KYUP FNPRM will follow a formal comment process and subsequent Federal Register publication. Providers, associations, and other stakeholders will have the opportunity to file comments shaping the final rules.

Numeracle filed formal comments in the KYC FNPRM proceeding and has been actively engaged with FCC leadership, including Chairman Carr, Commissioner Gomez, and staff from the Wireline Competition Bureau and Consumer & Governmental Affairs Bureau, on the questions of practical, standards-based identity verification for the voice ecosystem.

We will continue to publish guidance and analysis as these proceedings develop. If you are an originating service provider, VoIP provider, CPaaS platform, CCaaS platform, or gateway provider trying to understand what KYUP would mean for your operations, we are ready to talk. Reach out to Numeracle to learn more.

Related Reading & Resources

Frequently Asked Questions

How can Numeracle help organizations prepare for KYUP compliance?

Numeracle is currently one of the first and only providers offering a telecom-specific solution purpose-built to operationalize KYUP requirements. By extending our KYC as a Service (KYCaaS) solution to include upstream entity verification, providers can identify the businesses behind traffic, evaluate fraud risk, and document oversight in a scalable and auditable way. This allows organizations to act now, rather than wait for final FCC mandates, and positions them to meet KYUP expectations as an extension of existing identity infrastructure rather than a new, separate compliance burden.

What does KYUP require from voice service providers?

Know Your Upstream Provider (KYUP) requires voice service providers to understand and validate the identity and practices of the upstream partners sending traffic into their networks. This goes beyond basic onboarding and includes verifying business legitimacy, assessing risk, and maintaining ongoing monitoring and documentation. The FCC’s proposal signals a shift from passive traffic acceptance to active, continuous accountability across the call path, even before final rules are adopted.

What is the most efficient way to operationalize KYUP vetting?

The most effective way to operationalize KYUP is through a centralized, repeatable identity framework that combines entity verification, risk assessment, and continuous monitoring. Manual reviews and fragmented processes are difficult to scale and may not meet rising regulatory expectations. Numeracle’s KYCaaS solution addresses this by extending identity verification beyond direct customers to upstream entities, enabling providers to apply consistent standards, perform meaningful due diligence, and maintain defensible and auditable compliance records.

Numeracle Spoke logo small dark purple
©Numeracle 2026
Not sure where to start?
Ready to take control of how your identity is presented to consumers? 
Let us help you choose the right combination of tools based on your industry, goals, and call volume.
Talk To An Expert
Check Your Numbers