On Monday, June 12, leadership from Numeracle came together with representation from an Office of the Attorney General, and Bandwidth to discuss the practicalities of deploying a KYC (Know Your Customer) framework in a real live telecommunications setting to bring purpose to the STIR/SHAKEN protocol. Our key mission? To share how very doable, possible, and let’s face it – necessary – it is to deploy a KYC framework within your organization to vet and verify the identities of each and every entity utilizing the network, right now, and with the help of a templated KYC guide to walk you through the process step by step.
Since Numeracle introduced the concept of applying KYC (as we previously came to know and love through its relevance in fraud prevention in the financial industry) to communications back in 2018, we’ve seen the industry grow to embrace it as case after case of communications identity fraud dissolved trust at an alarming rate. Evidenced by the existence of an entire virtual series now dedicated to the subject matter (the very series this session was featured in), there’s a lot of interest in the theory of KYC as well as in the rulemaking that requires it, but what’s been glaringly missing is the practical guidance to deploy it.
Numeracle and our panelists believe "reasonable" KYC, as it’s been referred to in rulemaking, should not be mysterious or impossible. We sought to remedy the absence of practical guidance through this session at the SIP Forum KYC Summit as one of many platforms we’ll be taking advantage of to expose as many service providers as possible to the guidance they’ve been seeking.
Our panel began with an overview Numeracle's Model Standards for KYC, as filed with the FCC in April 2023. Serving as a template for voice service providers striving to keep illegal callers off their networks, these standards offer a practical, plug-and-play guide for service providers to use when crafting their own KYC policy and process.
Our panelists then discussed applications for the model standards, focusing on how deploying an Entity Identity Management (EIM) platform can help manage implementation of a KYC process and reduce risk for an organization. The panelists also discussed the future of KYC in communications, and what’s next from a regulatory perspective.
While hearing each of our experts’ unique points of view on the real-world implications of utilizing KYC to solve identity and prevent fraud in the communications industry, we dove deeper into the following focused topics of importance:
The FCC has mandated KYC, but never actually defined it. This started back in 2020 in support of the industry’s fight against illegal robocalls, which is when the FCC first instituted KYC requirements for originating voice service providers, which has gained traction ever since. In May of 2023, the concept was addressed in a new way in the Commission’s May Open Meeting in the form of an order imposing “Know Your Upstream Provider” obligations.
As KYC requirements are expanded to include other types of providers such as gateway and intermediate providers (with the expectation behind the requirement being: service providers will go forth and purposefully act upon fulfilling these requirements), the need for KYC guidance has become increasingly important. As such, Numeracle’s Model Standards address knowing both upstream end entities making calls and upstream service providers delivering calls from their customers or other service providers.
“The requirements of KYC are expanding rapidly and I think it's time to try to get some meat on those bones as to what participants out there need to be doing.”
— Keith Buell, General Counsel & Head of Global Public Policy, Numeracle
All this to say, when it comes to KYC, either looking upstream or downstream, if you don’t already have something in place, you’re behind.
While largely the same, the panel explored differences in how we approach “Know Your Customer” vs. “Know Your Upstream Provider” in practicality. In our perspective, while it’s one thing to know your direct customer, the challenge is the expectation for your customer to do the same and go one level deeper to their customers, and their customers’ customers, and so on.
Generally speaking, there should be relatively minimal differences for most small voice service providers (VSPs) in approaching KYC vs. Know Your Upstream Provider. Some VSPs are in direct communication with call centers and there is little practical difference between the caller and the VSP itself. The bottom line is that every VSP has an obligation to verify there is someone on the other end of each customer interaction that doesn’t intend to send illegal traffic. And if illegal intent is identified, the VSP will take meaningful action to remove it if necessary.
“Ask yourself as a service provider, do I know who the end-user is? Do I know who this is? And do I feel like I have meaningful control over it and fully understand that? The way that you do that can vary. We've got the framework in there, but the key difference in terms of the result for what you should do in review is obviously, if it's a service provider, you are taking on additional risk, right? You are opening yourself up in a way that you don't get to review every single new customer of your customer, per se.”
— Sarah Delphey, VP of Trust Solutions, Numeracle
Essentially, while the process isn’t different; ‘who you’re targeting’ vs. ‘who you should know’ is what’s different. ‘Who is the entity that’s actually delivering the call and how do we get to them,’ is the distinction. For KYC of a calling entity, you’re not looking at the Robocall Mitigation Database (RMD), with Know Your Upstream Provider, on the otherhand, the RMD is absolutely relevant.
“The concept of knowing your customer is not just within the FCC. We're already seeing this at an international level. Ofcom is publishing information around what knowing your customer means. What should we be looking at? What should the industry be doing? I think the key here is that the concept of Know Your Customer is not new whatsoever.”
— Rebekah Johnson, Founder & CEO, Numeracle
KYC starts with identity which requires verifiable data. There are varied global structures and rules for legal entities and service providers. This is why global frameworks such as GLEIF’s LEI are so attractive as a key that can potentially link identity across jurisdictions. We foresee both a global framework for baseline goals and data interoperability, with separate policies then established at the level of each governing body.
The ultimate goal of KYC should be to keep illegal calls off the network and the exact formula for doing that is going to change over time, but every company should know that without doing enough KYC and traffic monitoring to be reasonably sure that your traffic is legal, you could be held liable for the bad calls.
The harsh reality here is: anywhere there’s an opportunity for anonymity, it’s going to be exploited.
At the core of the KYC process lies the identification of potential risks and red flags associated with onboarding and maintaining service to customers. Deploying an EIM platform has emerged as a practical and efficient tool for KYC.
From the first engagement with a prospective customer, an EIM platform can be utilized to efficiently collect, verify, and authenticate customer information, ensuring accurate risk evaluation prior to onboarding. During onboarding, EIM can be used to capture and store customer data securely, perform on-demand identity presentation checks, and conduct comprehensive due diligence. This reduces manual paperwork and eliminates the need for redundant documentation. Ongoing monitoring via EIM gives service providers greater visibility to identify customers who may be engaging in non-compliant activities and require additional investigation and attention. In the event a customer warrants termination, service providers can easily access and manage relevant information required for the offboarding process via EIM, inclusive of contract details, compliance records, and communication history.
By streamlining risk assessment, simplifying onboarding processes, enhancing compliance management, and ensuring data security and privacy, service providers are able to effectively mitigate risks, improve operational efficiency, and deliver a seamless customer experience. As security and regulatory compliance continue to be a priority for service providers, implementing an EIM platform as a KYC tool becomes an essential step toward achieving these goals.
KYC is one of the primary ways that a VSP can avoid taking traffic that may get them in enforcement trouble. It’s simplistic, but a good KYC policy is whatever keeps bad traffic off your network.
With that in mind there are definitely common sense principles that should be applied. You need to know the type of traffic your customer intends to send you so that you can look at appropriate traffic metrics and confirm that the customer is sending you the traffic they say they are. If illegal traffic does come through, then you need to know that you can contact someone who will actually cut that traffic off.
The basis for virtually all enforcement action is that the target knows or should know that they are making or facilitating illegal calls. Without meaningful KYC, it’s going to easier for an enforcer to make the case that you should have known that your traffic was illegal.
“If you want to play in this particular industry, there is a responsibility that comes with it, just like being a doctor or being a lawyer. There are certain fields in certain industries where there is a moral, and ethical responsibility, and think telecom is there now. We have to bring KYC into this industry.”
— Rebekah Johnson, Founder & CEO, Numeracle
When it comes to identity, call authentication, and KYC, while many voice service providers out there have implemented STIR/SHAKEN, we still see fraud on the network. This is due in part by not properly identifying the calling entity behind the call. This is NOT actually a STIR/SHAKEN problem, but an identity problem. The way to drill down to identity is through knowing who the end customer is. And in this panel discussion, we demystified the process to tackling this through KYC and learned it’s not impossible, it’s doable.
We hosted this panel together to shed light on the fact that there are standards, you should be adopting them, and there is a defined process available to you today. As evidenced by our line-up of panelists, we strongly believe it is important to hear from not just Numeracle, but from service providers as well as enforcement to get the full picture of what’s expected from the industry.
Our parting guidance: Take the steps to identify and block bad actors from your networks using KYC, or find yourself the target of the next anti-robocall lawsuit. Use our step-by-step guide to get your started, or reach out to us directly for a KYC consultation.