Rebekah Johnson (00:52): Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today's session with Gerry Christensen, VP Business Development & Strategic Partnerships at YouMail. It's so great to have you here today, Gerry.
Gerry Christensen (01:38): Thank you, Rebekah. It's definitely great to be back.
Rebekah Johnson (01:42):It's really exciting to have you here for something very specific that you've published, which got a lot of attention. We knew we had to do a Tuesday Talk on it so we could dive a little bit further into what you've shed light on.
For the audience, Gerry recently authored a great overview article of ten things to watch out for in order to secure safe voice communications in 2022 and beyond. Some of those topics cover blocking versus labeling and redirection, the impact of STIR/SHAKEN ubiquity, number allocation policies, enterprise identity, UI best practices which you don't hear a lot about, regulatory actions, and enforcement. It included a lot of great topics so we'll share that article with our listeners.
For today, I want to focus on two areas that you dove into, enterprise identity and the KYC (Know Your Customer) best practices. With enterprise identity, what we're watching for based on your vision for 2022, is that number owners and custodians will be increasingly compelled to register telephone numbers for vetting and employ various validation methods such as out-of-band authentication as an alternative to STIR/SHAKEN.
We're also seeing that branded calling will begin to have a positive impact even prior to RCD (rich call data) availability, as consumers begin to recognize that branded calls are also authenticated calls. There are a lot of interesting concepts that you have in there, and I want to give you an opportunity to break it down and talk about enterprise identity.
Gerry Christensen (03:55): These concepts are interrelated to some degree. For example, when I say that branded calls are also authenticated calls there is a presumption that there's some form of vetting that happens up front and that operationally speaking, when the call is presented that there is some level of authentication whether that be STIR/SHAKEN or out-of-band authentication, which I would argue the latter is better than STIR/SHAKEN. I have nothing against STIR/SHAKEN, it's definitely table stakes and we need to authenticate calls so there are lots of good reasons and lots of good benefits with STIR/SHAKEN, which, if we have time, we can get into that in this discussion.
I would argue that out-of-band authentication is even better because you don't have some of the ambiguity that you can have with STIR/SHAKEN and potentially even some of the false positives where you think it's a good call but it's really not. Another interrelated area there is with the UI aspect.
Today, when your average everyday user sees a branded call, they probably get the general idea, especially if the logo is on there, but if you did a poll and you asked people, they wouldn't necessarily know that that's a completely safe call. Ultimately, that's where we want to get to as an industry. In the case of YouMail, we focus almost all of our attention on protecting against the bad calls but the converse is also really important. We need to train consumers what a good call looks like and make sure that when we say it's good, it really is good.
Rebekah Johnson (05:28): When I look at what's available in the ecosystem today with that combination of an authenticated call plus the branding, Google is the only one that comes to mind that is solving for that. This brings me back to the point you just said about out-of-band being the solution. Can you expand on that and how those three elements all truly meet the enterprise identity need that the consumer is looking for?
Gerry Christensen (05:54): It starts with the vetting and the KYC because you don't want to present a branded call as such unless you know something about the entity that's presenting their brand. You want to make sure they're genuine and, of course, you want to know something about their business practices to make sure that it's worth presenting their brand.
It starts from there but from an authentication perspective, one of the reasons why I like out-of-band is just by the nature in which it works. Before a branded call is actually presented, literally seconds or a fraction of a second before that occurs there will be a notification that is sent over the network stating that a branded call is about to send. Of course there's timing involved here so if you have your timer set appropriately, you know when you see that call come in that it's the same call that you're expecting so you give it favorable treatment from a reputation perspective.
In other words, you don't label it adversely, you don't assume that it's a spoof call, you know that it's a good call and you present it as a branded call. So that's why I like out-of-band as opposed to STIR/SHAKEN, again, nothing against STIR/SHAKEN, but STIR/SHAKEN is not ubiquitous yet and even once it is, we still have some issues going on with attestation not exactly matching reputation. If we have time we can talk about that and some of the things that YouMail has seen.
Rebekah Johnson (07:21): We should reiterate here that STIR/SHAKEN is not enterprise identity. There are some misunderstandings in the ecosystem even service providers have. This is a misunderstanding that goes beyond the enterprises. Even service providers are supposed to be implementing and understanding that STIR/SHAKEN doesn't doesn't remove fraud and spam labelings on the terminating carrier side.
It also isn't an enterprise identity solution, meaning that if you originate a call into the network and it is signed with A-level attestation, that a wireless carrier on the receiving end of this information will trust that call 100% and with anything and everything you say about that call, they'll display it to the consumer and they can trust it 100%. That is not how STIR/SHAKEN is being deployed and that is not how we want consumers to even see it from that perspective.
Gerry Christensen (08:27): I would agree and I would add on to what you're saying, that the only thing that you can trust, if it's A attestation, is that it's not a spoofed call. That does not mean that you can trust a call. I'll give you a case in point that's funny. We were going over this last night with YouMail because we are fully with STIR/SHAKEN ourselves, we do receive these calls, they go through our voicemail system, and we run analytics. That's what we do as a business. We can match that up with what we're seeing with the STIR/SHAKEN information and I literally was looking at some A-attested calls that I matched up to the campaign and they were unlawful campaigns.
So this is what's happening. We're not having spoofing happening anymore but what's happening is that whole leased number situation that's happening, which I talked about at SIPNOC, where somebody will lease numbers out to somebody. From a KYC perspective, they know who they are, they know how to reach them, but they're not monitoring the behaviors of the use of those numbers so, in some cases, they're used in conjunction with unlawful activities.
Rebekah Johnson (09:31): I want to dive into that word, monitor, because I do believe it goes with the enterprise identity. We're not just looking at enterprise identity as something that we're going to associate with a call and then be done with. We'll get into KYC soon, but if you have the enterprises' identity associated with these calls for the sake of branding then you can, as a service provider, add additional monitoring on top, and then you'll know exactly who the entity is behind it and be able to shut this type of fraudulent traffic down.
In that situation, if the service provider was leveraging the services that you have for that monitoring, they would have all that informative information to know who to go to, shut off or cut off access, or at least start the process of learning how they are leveraging their services to onboard calls into the network so you can do a better job at monitoring. Then we can have a self governing environment that we create, but it does require this information to be able to do something actionable around it. I know you have experience on how that's being used.
Gerry Christensen (10:35): In my perfect world, all numbers would be monitored. I don't mean that in some dystopian way, because what we're looking at is the calling party number, not the called party number. We don't need to know the called party number, we just monitor the calling number so that we can see what their behaviors are.
We do have some customers that are taking advantage of this. We've got one CPaSS customer that uses what we refer to as our Watchlist. What they do is they register numbers of interest in the Watchlist and then we let them know if or when there's ever any unwanted robocall campaigns associated with them. The way that this particular CPaSS customer uses it is for vetting themselves. They use it very closely with their KYC process because they have their own customers that come to them, sometimes with numbers, wanting them to handle these calls for them with these numbers.
What they'll do is plug those numbers into our system and they'll see just how clean or unclean they might be and then they make an informed decision on whether they want to allow this to be a customer of theirs, and if they do, are they going to monitor them very closely? We do have, at the grassroots level, some customers that are taking advantage of this, but I would say, by and large, your average everyday UIP service provider have very thin margins and are not looking to add cost to their operations but they're looking to trim costs if they can. I would say that there's an argument to be made that this is a very important cost because it's a lot cheaper to be in compliance than it is to have regulatory action or legal issues.
Rebekah Johnson (12:09): Absolutely. I want to close out on enterprise identity before we get into KYC with regards to the last statement that you made in your article around enterprise identity. I'm just going to repeat it: "branded calling will begin to have a positive impact even prior to RCD availability as consumers begin to recognize that branded calls are also authenticated calls."
To me, one of the key things that this is drawing attention to is that we have to have monitoring and trust and processes implemented and the verification and authentication side of this has to be there for branding or else I believe we could go in the opposite direction in 2022 and lose trust from the consumer. 2022 may be the year where this gets tested out and consumers will react and respond by either trusting this information or saying no thanks to it where despite appreciating the logos and the branding, believing that there are too many mistakes leading them to no longer trust it. That's a fear if we don't get this right. What are you seeing in that space? Because you definitely hear from the consumers.
Gerry Christensen (13:16): You may be right; my crystal ball is no better than yours, but you may be right and it's possible. If you think about it from the consumer's perspective, they've got so many different use cases. There are four distinct ones that come to mind to me. One is the plain old UI that we've had ever since smartphones began, another use case is some kind of branded calling experience, the third use case would be the checkmark, and then the fourth one would be some kind of labeling. If you're a consumer, it's very confusing.
Until consumers have enough education and understanding of what a branded call is, what it looks like, and what it means, there probably will be confusion. I would say a fifth thing to add on top of that is brand impersonation, which is something that we deal with and we have a service to detect that. Brand impersonation would be when you get a call and they say they're Marriott, but they're really not Marriott.
There are about five things in the mix there that have to be considered. I would say that if somebody gets a branded call that's really Marriott and it's got the Marriott brand on there, great. But what if an hour later they get a call that says they're Marriott, but it didn't show up as a branded call, of course, because it's a bad guy doing something, yet the consumer gets confused and they might try to hold that against the company, not appropriately. The reason I bring up Marriott is because that's one of our customers and we're protecting them, so it's not going to happen to them, but I think you get the example. I'm saying there is a need for consumer education so they know what to expect when they see certain things on the UI.
Rebekah Johnson (14:52): Absolutely. I think this is obviously speaking near and dear to both our hearts when it comes to how we believe in this technology, we believe in the services that it offers to consumers, and we're equally passionate about how these tools are deployed and leveraged.
Numeracle and YouMail are working on a joint whitepaper to go into further detail on this concept including an evaluation of how branded calling and brand identity go hand in hand, taking a look at brand spoofing and how that relates to number spoofing. We need to provide more education and awareness on how this might derail so that we can make sure that it stays on track for the consumer.
Gerry Christensen (15:36): Part of the idea there is to take a leadership position, it's not to say that Rebekah knows everything about this or Gerry knows everything about that, but at least have a start and put something out there. If we can get some comments from a few subject matter experts in the industry, I think that would be fantastic because everybody would generally agree that it's all over the place from the KYC perspective.
There are people doing great things like Numeracle but I can't say that there's an industry standard for how it's done. There aren't common expectations across all companies for the minimal things that you must do, what things you can do to go above and beyond, and if you do monitoring, does that give you extra credit? There's definitely a lot of things that we can do as an industry so the idea of the white paper is to stimulate that thought and conversation.
Rebekah Johnson (16:28): Great segue into the next topic that I want to dive into for this Tuesday Talk episode. Let's shift our focus now to the KYC best practices. Gerry, when you summarized the need for KYC best practices, which everyone has been hearing a lot about, in your article you focus on the industry need for Know Your Customer (KYC) guidelines for voice call originators.
Just as the Mobile Marketing Association was instrumental in the development of SMS best practices for A2P messaging, you've also identified there's a need for call originators to adhere to certain customer onboarding and administrative policies that are focused on business vetting, phone number behavior monitoring, threat detection, and response. I also had a SIPNOC webinar, we both participated in SIPNOC last week, and obviously once again, we are very much aligned in identifying that there is this need.
From our perspective, my session was on the privacy, security, and KYC aspect of branded calling and trying to bring it up to that level to ask how we trust the data? That's what this is really about: how do we trust the information that's going to be delivered? You are spot on with that statement on the industry need for KYC guidelines for voice call originators. What were you looking at and evaluating when you were contemplating the top ten things on your list and then that statement, which is so quotable, came to mind?
Gerry Christensen (18:04): Well, I think there's a full spectrum and a full range of possibilities when it comes to KYC vetting and coming up with best practices. I say a full spectrum because it runs the gambit from how do you treat a customer that comes to you that says they want $10 million for a short duration campaign? From a sales friction perspective, if you ask them too many questions they're probably going to go to somebody else. If you want to service that kind of customer, great, but you're probably going to have to watch them like a hawk because they're not willing to be vetted and they're not willing to answer a lot of questions.
On the other side of the spectrum, customers that are on the up and up that you can trust, they're probably going to very willingly give you their TCPA compliance statement. They're probably going to be willing to tell you the types of campaigns they run, expectations they have, and they may even be interested in being monitored. Part of having best practices around KYC is having a range of possibilities of what you do. That way if you ever run into trouble, you can evidence your KYC best practices and explain what we normally do.
If it happens to be an entity where there are a lot of questions, you can see how they answered these questions, if it ever comes to that. I see this more as an evolution and a process. I don't think that it can be like a cookbook in the sense that we can say exactly the way it needs to be done, it's probably going to evolve over the course of the next couple of few years.
Rebekah Johnson (19:37): I like that you didn't immediately go to solutions. When I hear about acceptable KYC best practices, I'm hearing more sales tactics to buy a solution or sales saying their KYC solution is the best one because they have a database with all this information in it and because they say who they are that I should trust them.
That's not what we're hearing from the carriers. That's exactly what they want, they want you to trust them because they say they're trustworthy. I hear that from customers, and I realize they're big brands but they'll come through to Numeracle saying they don't need to do a KYC because they're a big brand on the Nasdaq. I want them to prove it. It doesn't matter, I don't care if you're a no name company or a big brand name, everybody has to go through the same process. But that's just how Numeracle does it and it is still very siloed.
I know that the NANC CATA Working Group put out a best practices but it wasn't perscriptive, it just said, you need to have a KYC process or you need to have a vetting process. Then that gets into who vets the vetter? I don't know that we need to do that process of who vets the vetter, who vets the vetter, to who vets the vetter. What we're missing, which is what you called out, is we need some guidelines. Once we establish some guidelines and then have an evaluation of how each of these entities are meeting those guidelines, then we start to create an ecosystem that can operate.
Gerry Christensen (21:02): A good analogy could be the standards process. Whenever you're developing a new standard like SS7 or SIP, for example, there's always mandatory and optional parameters. Using that analogy here with KYC, there needs to be some mandatory things that you always ask when you're doing KYC, and some optional things. Optional things could give you extra credit, so to speak.
Even on the mandatory ones, just asking them is mandatory but then, where you hold yourself accountable, is the types of answers that you get. Some answers that you get could be acceptable and some not acceptable. For example, if part of your vetting is requiring that you know who Gerry Christensen is, that he's a real person, that you can reach him, etc, if he just gives a G-mail address and he gives a PO box, that's probably not acceptable. Not only do we need to figure out what goes into KYC, but what are some best practice examples for what type of information is acceptable.
Rebekah Johnson (22:08): KYC is not new, this is just a component of an already established framework in the financial industry, and it's also not US-specific, it is global. There is a standard, and KYC is just one little component, in order for fraud and terrorist activities like money laundering. We don't have to create something from scratch; we don't need to reinvent the wheel.
I do think, though, that there needs to be some leadership, maybe you and I could get together and get some momentum going, that it's not just Rebekah and Gerry's say so of the way the world is. We need to bring other players who will stand up and say, I want to be a part of creating something that is prescriptive. We have to get more specific in what the KYC guidelines need to be, otherwise, we're opening up to anybody, and you mentioned it earlier, the service provider is just going to view it as a checkbox.
KYC is an ongoing process, it's not just identifying your customers, it's knowing your customers and knowing how they operate within your network. For example, banks do this. I know we've all dealt with traveling and using your card, or maybe you have a deposit that's out of the ordinary that they're going to halt because they're constantly monitoring for those behaviors and if someone goes off script then that sets off an alarm. We have to apply the same thing within voice communications and I just don't see this going anywhere if we don't apply that.
Gerry Christensen (23:53): I agree, like you said, KYC has been around for a long time and we should take a page from the script of credit card issuers, for example. With somebody that has a really good credit score, maybe you don't monitor them as closely and you give them a much greater credit limit. But somebody else that doesn't have a good credit score you give them a lower limit, you watch them really carefully, maybe you amp up the fraud detection so if they make certain purchases you can challenge them.
That analogy could be applied towards the voice channel too. If you've got a customer that you trust are real, then maybe certain KYC practices are good enough. But with somebody that's questionable, maybe you need to monitor them. One of the analogies that we kicked around when prepping for this session comes from the rental car industry. Rental cars can use telematics just like you can in any car so if a rental car agency thinks that Gerry Christensen is potentially a threat because he's going to go too fast in the car, he's going to drive it over state lines when he's not supposed to, he's going to do things he's not supposed to do, then maybe you need to have telematics on there to monitor Gerry's behavior.
Now that's an example of a physical good vehicle but it's a little trickier when it's digital intellectual property good like a phone number. We have solutions for that and that's what we do at YouMail. Again, it's an optional thing that could be done to reinforce KYC and perhaps doesn't need to be applied universally, even though that would be my ideal world, but rather applied judiciously when you think there's a need to do that and when there's a particular customer that you think you might want to watch extra carefully.
Rebekah Johnson (25:39): Your rental car example highlights the liability aspect of why you want to monitor. It's relevant based on what we're seeing on the enforcement side, which you did cover as well, is maybe you should be monitoring so that you can reduce your liability for when things go a little awry and then it's the FTC or the FCC who has been monitoring and has something to say about it, which is a huge fine. I promise you, based on the numbers that I'm seeing coming out, there is no monitoring solution that's going to cost you that much. You will always be paying a tiny bit more than what could potentially happen if you don't do any monitoring whatsoever.
Gerry Christensen (26:22): I would agree; you need to look at the total life cycle cost of anything. So when I say that VoIP is dirt cheap, what's not counted in that is litigation. What's not counted in that is the cost of handling tracebacks. If you add up the cost of all these things, you need to, obviously, ascribe a probability to that. That's why I like game theory. Game theory is the probability of something happening times the impact of that thing happening.
If you run the models and you look at it, then you might find that having more stringent KYC and monitoring is actually cost effective and that it actually is cheaper to do that than it is to have the threat of having these problems. If you're allowing stuff to go through your network or in the case of an enterprise unbeknownst to you, maybe somebody is spoofing your number or tarnishing your reputation with your brand and you don't even know what's going on, as opposed to monitoring.
Rebekah Johnson (27:21): Gerry, I really want to thank you for spending time with us today to talk about this. We are going to publish that whitepaper and I will solicit anyone who wants to raise their hand and participate in it. I know that we would love to get feedback as well if there are some strong opinions in that space.
So we'd like to thank all of you for joining us for another episode of Tuesday Talks. Gerry, thanks again for joining us, I know this won't be last time that we will have you on our show. We hope to see you all again on Tuesday, April 12. Take care.