Written by
Sam Etler, Principal Product Enablement Manager
Mary Gonzalez, Director of Brand & Content
Published on
March 19, 2026
Updated on
March 19, 2026
Sophisticated fraud has become one of the most lucrative criminal enterprises in communications. The combination of old technology that underpins modern networks with the growing capabilities of AI has made it easier than ever for bad actors to defraud Americans. Attackers have moved from blanket mass contact strategies to more sophisticated methods that target specific individuals with information gained from data leaks, creating a highly manipulated impersonation of an entity that the target has an existing relationship with.
In response, U.S. regulators have signaled a sustained focus on caller identity: clarifying what originating service providers (OSPs) should verify, how identity should be presented, and how to close gaps that enable illegal traffic. The FCC, FTC, and state Attorneys General are recognizing that it is the responsibility of the OSP to know who their customers are so they can both determine initial risk and very quickly understand who is attempting fraud on their network when it is detected.
The FCC’s most recent Caller Identity FNPRM, adopted in 2026, continues a multi-year effort to improve how caller identity is verified and presented to consumers. It proposes steps requiring OSPs to verify caller identity information and using rich call data (RCD) to transmit it, shifting attention from number authentication to accurately and securely displaying who is calling to consumers while preventing continued manipulation and fraud to occur.
With the outdated security aspects of the telephone network, it’s relatively easy for a bad actor to impersonate almost any legal enterprise business. If a phone number is in one or more CNAM databases, there is a high likelihood that when a call is illegally spoofed, the target will see the spoofed call arrive with a name they may recognize. While there are technological developments being implemented to help combat this, the onus for stopping this type of fraudulent voice traffic falls onto the OSP.
Historically, the idea of KYC, often referred to as Know Your Business (KYB) or Business Entity Vetting (BEV), has been nebulously defined. The information that is collected about an OSP’s customers has varied significantly from OSP to OSP. Some ask for virtually no information, while others look for much more detail.
While standards for vetting are still not well defined, companies like Numeracle have published our own vetting standards which have been adopted by organizations, such as CTIA for their Branded Calling IDTM (BCIDTM) solution, and have been supported by industry groups like One Consortium and industry initiatives like Open Verifiable Calling.
However, there is no firm mandate for customer identity vetting. The FCC requires a level of KYC but has not yet defined specific parameters around this.
This lack of consistency and clearly defined standards creates ongoing exposure for fraud to occur across OSP networks. Without firm guidance on what constitutes adequate customer identity vetting, OSPs and other providers are left to make their own determinations about what “good” KYC looks like. In practice, this has led to widely varying approaches, some of which meet baseline expectations on paper but fall short of preventing real‑world abuse.
In one recent example widely discussed in the industry, inadequate KYC allowed bad actors to use their network to attack FCC personnel and their family members, a reminder that superficial intake can pass as “KYC” on paper while failing to stop fraud in practice. It became clear that this OSP’s KYC practices were substandard, but they were able to make an argument that while the fraud was indeed perpetrated using their network, they did do some KYC. What this indicates is that anything can be called “KYC” when it’s really just an attempt.
Meanwhile, enforcement actions continue to show that when providers cannot evidence credible identity or KYC practices, they risk removal from databases that enable interconnection and potential liability and risk financially heavy and public penalties. In August 2025, 185 providers were removed from the Robocall Mitigation Database, preventing them from connecting to U.S. networks until they complied. This is an unmistakable signal that documentation, auditable practices, and rigorous KYC are table stakes.
A meaningful KYC process should examine multiple dimensions of an entity’s identity. No single piece of information is sufficient to establish legitimacy. The FCC’s Caller Identity NPRM aligns with programs that treat identity as verifiable and continuously maintained, not a one‑time submission.
Numeracle’s vetting procedures are widely seen as best-in-class for the communications industry, and with our KYC as a Service (KYCaaS) solution, the initial vetting is just the beginning of an ongoing identity management.
With KYCaaS, OSPs forego the need to constantly do their own re-vetting and monitoring, leveraging our dynamic and corroborative approach that correlates a variety of signals to determine whether an entity is aligned with its claimed identity, raising potential flags for review.
The KYCaaS vetting does not remove decision-making from service providers; the objective isn’t to simply approve or reject applicants. Ultimately, the decision to allow a customer onto a network or platform rests with the organization providing the service. What KYCaaS provides is the structured intelligence needed to make that decision with far greater clarity.
This approach aligns with the reality that risk is rarely absolute. It must be assessed within the operational context of each provider. By presenting verifiable data rather than opaque scoring mechanisms, the platform helps service providers make defensible decisions both operationally and from a regulatory perspective.
The FCC’s broader caller‑identity effort in tying A‑level attestation to verified information and promoting end‑to‑end accuracy raises the bar for ongoing integrity. Providers that maintain continuous evaluation and auditable records will be better positioned to demonstrate due diligence during inquiries, database reviews, or enforcement checks.
Identity is not static, and businesses change over time. A one‑time verification cannot account for these changes.
Numeracle’s entire focus as a business is on identity. Over the past 8 years, Numeracle has worked on determining the most efficient and successful methods for vetting and knowing who an entity really is, a methodology which can now be utilized by anyone to learn who their customers really are through KYCaaS.
Why is this important? Most companies are not and do not employ subject matter experts on identity and KYC. It is a constantly changing world and keeping abreast of the most effective methods for both combating fraud and understanding how bad actors try to circumvent identity can be a challenge. This is Numeracle’s core focus, so we are at the forefront of both understanding and defining the best ways to do this work.
The overall trajectory is clear: identity will increasingly become a foundational element of communications trust. Systems that can establish, monitor, and maintain that identity at scale will be essential components of the communications ecosystem.
If you’re evaluating how to align with caller‑identity expectations while reducing exposure to enforcement or interconnection risk, contact Numeracle to explore KYCaaS, a best‑in‑class approach designed around corroborative verification, calibrated exception handling, and continuous monitoring with audit‑ready documentation to support your compliance posture.
Impersonation scams, where bad actors spoof trusted caller IDs to trick a called party into giving away sensitive information to what they believe is a trusted caller, are on the rise and driving the FCC’s increased focus on caller identity. This type of fraud, in aggregate, accounts for billions of dollars lost per year.
The FCC is mandating systems that require service providers to vet their customers in an attempt to keep bad actors off of the network. By further developing trusted, non-spoofable caller identity credentials, the FCC aims to give consumers more peace of mind and help them understand exactly who is calling them.
Until recently, there was little guidance or industry accepted solutions for performing Know Your Customer (KYC) vetting on business entities. This lack of standardization increased caller identity risk across provider networks. Numeracle’s vetting guidelines have been accepted by industry groups such as CTIA and One Consortium, and have been adopted by large service providers.
By establishing strong KYC, service providers can clearly identify who is responsible for calls placed on their network. This due diligence demonstrates that a service provider’s commitment to fighting fraudulent activity. When in-depth KYC is performed, the risk of fraudsters and bad actors utilizing a service providers network is significantly reduced.
KYC guidelines on the federal level are still undefined, but the FCC is clear that KYC must be done. By utilizing Numeracle’s KYCaaS vetting solution, service providers meet FCC expectations and can feel secure in knowing that best in industry vetting is being performed.
Think of KYC as the front door to your network. You wouldn’t let an unknown person into your house, and the same principle applies to who is allowed to originate calls on a network. A robust KYC process ensures that only trusted entities can originate calls.
STIR/SHAKEN, on the other hand, allows originating service providers to say, “I am authorizing and allowing my network to be used to originate this call, and I attest that I know who is making it.” Call authentication is a means of telling the consumer, “This is who is calling you and you can trust that.”
In simple terms, KYC opens the door and who gets access to the network, STIR/SHAKEN establishes the verified origination of call or who the starting point is, and call authentication travels with the call to give the called party confidence that the caller is who they claim to be.
