At the SIP Forum’s 2021 STIR/SHAKEN Virtual Summit, Numeracle and Aegis Mobile presented a joint webinar that explored the expectations of the Know Your Customer (KYC) aspect of STIR/SHAKEN, the TRACED Act, and what is expected in a Robocall Mitigation Plan. Led by Rebekah Johnson, Founder and CEO of Numeracle, and John Bruner, President and CEO of Aegis Mobile, the conversation also included expert panelists Steve Augustino, Partner at Kelley Drye & Warren LLP, and Stephen Smith, Founder and CEO of Fonative.
With various industry perspectives present, the group discussed the requirements for identity vetting across the network, considerations when monitoring for fraudulent activity, and best practices for how to implement a robust plan as expected by the FCC. Also discussed was a special focus on FTC telemarketing enforcement initiatives such as the KYC lessons learned relating to the Globex and Alcazar orders, and insights on how to model a successful mitigation plan as well as what may happen if a service provider fails to comply with STIR/SHAKEN requirements.
The following is a summary of the key topics discussed within the context of the live panel discussion.
“Where does the vetting role sit? With the one vetting the customer.”
Know Your Customer is, and should, be more than identity checking. So far, KYC has been critical in other industries to protect consumers against fraud, and now we're seeing it applied to communications to support STIR/SHAKEN. It’s been said in the past, and it was reiterated again in this conversation that STIR/SHAKEN is not a silver bullet solution for stopping bad actor traffic, but to at least prevent them from hiding. This is where KYC has to come in.
As John Bruner of Aegis Mobile put it, there is a critical difference between identity checking and doing a thorough background check. “There’s a difference between letting someone into a bar by checking their ID, but you don’t necessarily know if they’re going to be a good customer or if they came in to rob the place.” Not only do providers need to analyze the risk events and bad actors that they’re looking for, but also use KYC to deeply look into those risk events to prevent bad traffic from originating in the first place.
“Up until now, we’ve always put risk on the terminating side in this STIR/SHAKEN world with analytics. It’s really important for the analytics to be there to display the risks to the consumer so they can make the decision to answer or not answer. What KYC does is bring that risk assessment all the way to origination. This is what I believe the TRACED Act was looking for and what the FCC and FTC were looking for: to prevent this traffic from getting onto the network in the first place.”
— Rebekah Johnson, Numeracle
Your KYC policy should act as your own perimeter check to keep bad actors from entering the network. Steve Augustino, Chair of Kelley Drye & Warren LLP’s Communications Practice, adds that each provider has a different risk assessment they need to make. “Not every provider has the same risk profile, the same kinds of customers, or the same kinds of capabilities so this is not going to ever be a one-size-fits-all solution.” This is especially true for BPO’s who represent many enterprises. It is not enough to validate just the BPO, but its surrounding network of entities through a KYC policy or else risk their calls not being signed or well attested.
The TRACED Act has tried to broaden the circumstances for carriers to terminate traffic on the network as well as add the responsibility that they now have to regulate and police their own traffic.
Robocall Mitigation Plan Considerations
Through Robocall Mitigation Plans, the FCC is taking steps to identify those who have not outlined what steps they’re taking or if they’re following their filed plans to stop originating illegal robocalls. While the FCC has a non-prescriptive approach, they will use case-by-case situations to identify situations where the steps taken were not enough. Once the steps you plan to take are listed in your Robocall Mitigation Plan, the expectation is that you not only follow those steps but that you adjust your model as time goes on to continuously monitor and maintain visibility into the traffic on your network.
“Robocall Mitigation Plans are a pledge to the FCC about what they’re doing, which then becomes enforceable. When writing them, try not to overpromise; what you say you’re going to do, make sure you actually can do.”
— Steve Augustino, Kelley Drye & Warren LLP
For a company like Fonative, which functions as a scalable Communications Platform as a Service (CPaaS) provider to connect customers via voice and messaging, they were prepared for the June 30th STIR/SHAKEN implementation deadline far in advance, with a detailed and robust KYC program to ensure none of their customers’ calls would drop off post-deadline. With a longstanding focus on compliant communications, Stephen Smith says, “rather than checking a box on compliance, we leaned into it,” and took full advantage of a Robocall Mitigation Plan as a gateway to conduct healthy traffic and attest calls.
Enforcement & Lessons Learned
To combat fraudulent activities on the network in the past, the Federal Communications Commission (FCC) has sent cease and desist letters* which were largely triggered by traceback requests. When those traceback requests are received, it is critical, as a provider, to take action on it to prevent future traceback issues with their customers.
In conjunction, the Federal Trade Commission (FTC) has gone after several VoIP providers for aiding and abetting telemarketing violations. According to the FTC, these entities were actively participating in violations against their end-users. Settlements with Alcazar and Globax took place in the fall of 2020, in which both entities agreed to take a detailed look at what their customers were doing before they provided service and called for recurring assessments to be conducted as an added layer of security.
For these recurring assessments, John Bruner recommends re-vetting as a best practice once background checks have been done by analyzing the behavior of their customers to search for erratic behaviors that could be fraudulent. Stephen Smith adds his perspective of not being able to do all of this ongoing vetting work in-house; that’s what specialists and a trustworthy partner network are there to help with.
“Another way of looking at it is how much we all stand to gain if the voice channel becomes trusted again. It’s not just about not wanting to be punished. Over the last decade, enterprises have seen outbound calling become less effective because no one will answer their phone. So I also like to think of it as an investment until we weed out the people that are committing fraud.”
— Stephen Smith, Fonative
If you have not implemented STIR/SHAKEN or do not file a Robocall Mitigation Plan, your network may be shut down come September 28th, 2021 when carriers will no longer be allowed to accept traffic without either policy implemented. If you’re originating or allowing bad actor traffic to traverse the network, watch out, because you may be shut down.
When given the opportunity to present the key takeaways from each of their unique perspectives, our panelists had the following to share with the audience:
Steve Augustino; The Communications Lawyer: Whatever you list in your Robocall Mitigation Plan is enforceable so make sure it’s realistic and that you do not overpromise. Be flexible and adaptable to potential problems you did not anticipate, and address them head-on. Do not willingly turn your blinders on to bad traffic on your network.
Stephen Smith; The Platform Provider: STIR/SHAKEN is achievable, and if you’re behind on it, don’t panic. We’re still in the early days. This is a long process that takes time to implement and we’ve only just begun. It will be ongoing so keep thinking about KYC and how to keep integrating.
John Bruner; The Vetting Authority: Bad actors are well funded, they’re smart, and they always find a way to work around whatever you’ve put in place to try and stop them. Be agile going forward, and be ready to evolve or change tactics quickly. Do what you can to prevent bad traffic on your networks, but be ready to execute and solve it in case it does come up somehow. Don’t let them on your network for too long.
Rebekah Johnson; The Identity Pioneer: Once you have a baseline of what the truth is down to the entity identity level within any given provider ecosystem, you can then structure a local policy unique to your architecture that allows for an additional layer of analytics on top to further protect yourself as well as the verified entities on your platform.
In closing, “we’re at a place where it feels like everyone is getting their high school diploma on this and now we’re thinking about our undergraduate degree when this is really graduate-level work.”
— Stephen Smith, Fonative
How to Watch the Replay
Thank you to our panelists and all the attendees who were able to join us in the close-out session of the 2021 STIR/SHAKEN Virtual Summit, hosted by the SIP Forum. To watch this webinar discussion retrospectively, register at: https://register.gotowebinar.com/register/5810059550681892109.
How to Implement KYC Within Your Organization
For a practical overview summarizing the key elements required in implementing a KYC-based identity verification and risk mitigation program, download the Numeracle & Aegis guide to structuring your STIR/SHAKEN local policy in support of ongoing Robocall Mitigation efforts.
About the Panelists:
Rebekah Johnson of Numeracle: In addition to being the Founder & CEO of Numeracle, Rebekah serves on the FCC’s Robocall Strike Force on behalf of the Empowering Consumer Choice Working Group, she is an active member of the FCC’s Hospital Robocall Protection Group, Chair of the Enterprise Communications Advocacy Coalition (ECAC), and a member of the ATIS IP-NNI Task Force and co-author of the SHAKEN Standards.
John Bruner of Aegis Mobile: While serving as Aegis Mobile’s President & CEO, John has 25+ collective years of leadership experience in enterprise technology innovation and strategy, process reengineering, regulatory and financial operations, and is a leader in enterprise information services in data management, data modeling, data governance, and business intelligence.
Steve Augustino of Kelley Drye: Chair of Kelley Drye’s Communications practice, Steve’s practice ranges from regulatory, legislative, and administrative law counsel to transactional advice, advocacy, and litigation while providing counsel for voice service providers on the implementation of STIR/SHAKEN and Robocall Mitigation techniques.
Stephen Smith of Fonative: Stephen is an entrepreneur & technologist whose CPaaS firm’s product and tech platform power 100+ U.S. contact centers. He is also a member of Jeff Pulver’s VON advisory board, with leadership experience in technology, media, and telecommunications.
FCC’s three waves of cease and desist letters: