Know Your Customer (KYC) and STIR/SHAKEN Attestation
What it means, what it does, how it affects you
Molly Weis, VP of Marketing
May 29, 2020
When most people hear “Know Your Customer” or “KYC,” they think of industries like fintech, corporate compliance, or cybersecurity, and they envision the vetting process these, and other industries, use to verify the identity of their clients either before or during the commencement of business.
KYC didn’t use to be associated with the telecommunications industry, but as we move toward STIR/SHAKEN, which aims to improve transparency around who is calling when the phone rings, the new customer we need to know through KYC is any entity who is originating, facilitating, or terminating call traffic.
For voice service providers, or “VSPs,” the only way to accomplish a trusted level of oversight into all traffic transversing a communications network is by developing a KYC process to understand all the parties utilizing the network to deliver calls. This goes many layers beyond understanding the service providers’ direct clients — the ones they maintain an actual contractual relationship with. This spans the depths of VSPs also needing to understand their clients’ clients (and those clients’ clients, and so forth) as well as any intermediary who the service provider is directly or indirectly delivering or facilitating calls on or on behalf of, from the calls’ origination to the calls’ termination.
Introducing KYC Methodology to STIR/SHAKEN to Define Attestation
The telecom ecosystem is working through the actions needed to reduce the number of illegal robocalls delivered while limiting disruption to legitimate call traffic. STIR/SHAKEN is a technology protocol that will help identify and reduce illegally spoofed call traffic. This type of illegal traffic is possible via bad actors falsely presenting phone numbers and calling identities that they’re unauthorized to use.
In addition to less spoofed scam calls, STIR/SHAKEN will enable improvements to trace back initiatives and the establishment of greater trust in who is behind the call, all possible through KYC.
Let’s explore how this impacts the VSP and the various individuals, entities, and intermediaries originating, facilitating, or receiving calls across various networks.
Situation #1: The VSP has a direct relationship with the entity behind the call and has provided the phone number being used.
In this example (Figure 1) of how KYC will be used to validate the entity behind their call and the verified use of the phone number, we have a direct relationship between a service provider (such as Verizon) and a wireless subscriber (someone like you, on the Verizon network, with a cell phone and a phone number issued to you by Verizon).
In this example (Figure 1), voice service providers originating calls for their subscribers provide authenticated caller ID information through a KYC process to identify the customer and verifying the association of the telephone number the service provider provisioned to the customer.
When the phone number and identity criteria are fully met, the provider (in this example, Verizon) is able to assign A Level attestation. Through the STIR/SHAKEN verification process, and the terminating service provider (AT&T in this example) can verify the caller ID information and identity of the calling party to display a “verified caller” identification to the called party.
Situation #2: The VSP has a direct relationship with the entity behind the call. The entity is a business using multiple phone numbers provided by the VSP.
Figure 2 presents a situation similar to the last in that the originating service provider has a direct relationship with the entity behind the call. The entity in this example is USA Hospital, and USA Hospital is using multiple phone numbers to call its patients directly. The hospital acquired its phone numbers directly from its VSP.
Through the same attestation criteria of verifying a single customer’s identity and cell phone number, the base SHAKEN authentication can also be implemented by the originating voice service provider to attest to the accuracy of caller identification information transmitted with a call for customers that are not individual subscribers, like USA Hospital.
Utilizing their KYC process and number provisioning process, an originating voice service provider can provide A level attestation to a call made by a business, government entity, or similar. Through the STIR/SHAKEN verification process, the terminating service provider can verify the caller ID information and identity of the calling party to display a “verified caller” identification to the called party.
Now let’s complicate things a little.
STIR/SHAKEN standards do not support legal callers’ need for A level attestation due to distributed customer identity and number.
When the relationship between the caller, the assigned number, and the originating VSP does not meet the criteria for A level attestation, the provider will apply B or C level attestations. Even though a B or C level attestation does not provide the certainty of an A attestation, these options are part of the STIR/SHAKEN framework to, at a minimum, support traceback efforts to the originating or gateway carrier.
Situation #3: The VSP has a direct relationship with the entity behind the call, but did not provide the phone numbers.
In this example (Figure 3), the VSP has confidence in its direct customer, USA Hospital, but no direct connection to the phone numbers USA Hospital is utilizing for its patient communications.
Though USA Hospital is free to communicate via whichever phone numbers it prefers, Verizon (in this example) has no ability to verify that USA Hospital is authorized to use the phone numbers originating traffic since the phone numbers were not provided directly to USA Hospital from Verizon.
Figure 3 shows the result of this situation. The originating voice service provider will assign B level attestation when it can verify the identity of the customer through its KYC process but is not able to establish a verified association with the telephone number(s).
A common practice with enterprise callers, which is known as “Bring Your Own Number” or “BYON” [Footnote 1] occurs when the enterprise obtains numbers directly from a RespOrg or TN (telephone number) provider other than the originating service provider. The verified association still exists with the RespOrg or TN provider, but the originating VSP is not able to attest to the authorization at the time of call origination.
Attesting to the accuracy of the caller identification information with a B level attestation based on the caller ID information available to the originating VSP is the proper application of STIR/SHAKEN. However, this is not the ideal attestation level a legally operating enterprise, compliant with the applicable consent and auto-dialer rules, would expect for its outbound calls.
The concern for B level attestation is also based on how the call is treated by the terminating service provider, which may not display to call recipient the same level of trust as an A level attestation. Multiple industries of enterprises have already filed concerns with the FCC regarding lower-level (B or C) attestation treatment [Footnote 2] impacting their ability to present a trustworthy calling identity to their patients, customers, or members.
Situation #4: the VSP has no direct relationship with the entity behind the call and did not provide the phone numbers
In this situation, the VSP is originating calls that are facilitated through a Business Process Outsourcer or “BPO” on behalf of one of its clients. USA Hospital, in this case, is not dialing or directly contacting their patients via phone. They have partnered with the example BPO to deliver their business communications as an outsourced call center. This BPO has procured phone numbers for USA Hospital’s use through the BPO’s TN provider of choice.
Neither USA Hospital nor the VSP has a direct link to the phone numbers in use, and the VSP may or may not have any awareness of whose calls are being delivered by the example BPO in association with these phone numbers.
A common complex call-origination configuration for calling parties such as hospitals, state governments, retailers, and banks is the use of one or more intermediate entities (such as a BPO) to manage communications [Footnote 3].
Figure 4 showcases one of several examples where an intermediary entity is between the enterprise whose caller ID information identity and associated telephone number is to be attested by the originating voice service provider. This intermediate entity is not a carrier, and in addition to our BPO example, could also be a hosted cloud service provider, hosted PBX, Unified Communications provider, Communications Platform as a Service (CPaaS) provider, Contact Center, or other communications vendor.
In the case of an enterprise that utilizes an intermediary provider (ex. BPO), the originating VSP will authenticate the calls with a C level attestation because it does not have a direct relationship with the entity behind the call (USA Hospital, one layer down from its BPO).
There is still value in C level attestation as it relates to traceback efforts, but the value to both the caller and the callee are diminished as the call will not be delivered with a “trusted caller” designation.
While we don’t advocate for the non-use of B or C attestations, we support the industry’s efforts to define best practices for originating VSPs to pursue A level attestation by accurately identifying the calling parties associated with the phone number(s) originating traffic on their networks.
The relationship between callers, phone numbers, and originating providers is not as simple as the examples that guided the original development of STIR/SHAKEN. The current practices involving multiple entities in the call scenario makes achieving an A level attestation for an enterprise caller who outsources calling operations to communications vendors (even the 100% legal, compliant, and trustworthy ones) difficult, if not impossible.
It’s Numeracle’s position that as the industry deploys STIR/SHAKEN, the needs of legal callers relying on trusted communications vendors for call delivery should be heavily considered.
The ability to establish A level attestation (despite the lack of a simple one-to-one relationship between a VSP and an enterprise caller) should be supported by the standards and best practices defined within the call delivery ecosystem.
If you’re a voice service provider, CCaaS, platform or technology provider, or any other organization looking for more information on how to implement a local policy KYC process solution to vet and validate the traffic on your network in order to attest calls at A Level, get in touch with us today. The Numeracle Entity Identity Management platform, and our complementary partnership with vetting authority Aegis Mobile, is being used by voice service providers today to authenticate identity (down to the calling party brand) and its authorized usage of phone numbers regardless of where the numbers were procured from.
ATIS SIP Forum IPNNI Joint Task Force, Study of Full Attestation Alternatives for Enterprises and Business Entities with Multi-Homing and Other Arrangements, Draft § 8 (2019) (analyzing different enterprise use cases);
See Ex Parte Letter from Farhan Chughtai, USTelecom, Inc., to Marlene H. Dortch, FCC, CG Docket №17–59, WC Docket №17–97, WC Docket №20–67, at 4 (March 23, 2020); Verizon Reply on Further Notice, CG Docket №17–57, WC Docket №17–97, at 5–6 (August 23, 2019); PACE Comments on NPRM/NOI, CG Docket №17–59, at 8–9 (July 3, 2017)