Numeracle had the pleasure of organizing a webinar during the SIP Forum 2023 KYC Summit, which showcased a distinguished panel of industry experts. Our overview of the webinar, Bringing Purpose to STIR/SHAKEN Through Identity With KYC – A Recap, includes a complete summary and playback of our session should you want to watch it retrospectively.
Patrick Crotty is a Senior Assistant Attorney with the Florida Office of the Attorney General, Consumer Protection Division. Since 2018, he has litigated cases under Florida’s Deceptive and Unfair Trade Practices Act as well as other Federal and State consumer statutes, including cases involving illegal and unwanted phone calls. His practice includes issues related to telecommunications, class actions, and unfair and deceptive trade practices as supported by the Telephone Consumer Protection Act (TCPA), the Fair and Accurate Credit Transactions Act, and the Fair Debt Collection Practices Act.
Despite the implementation of STIR/SHAKEN, fraud on the voice network still occurs in part because there isn’t enough proper identity verification of calling entities. This isn’t a STIR/SHAKEN problem but an identity verification issue. The solution is simple: knowing the end customer’s true identity, which can be done by leveraging Know Your Customer (KYC) policies, which our panel worked to demystify and prove its feasibility.
Having Patrick Crotty on the panel brought expertise on consumer protection, which is intertwined with KYC practices. The impersonation of phishing scams, and the difficulty in tracking down the origins of such scams, underscores the challenges faced in combatting fraud effectively and the urgent need for robust consumer protection measures.
The missing key element in protecting consumers from fraud is a focus on identifying and taking appropriate action against suspicious customers, even if it means denying their business.
“I think the most important thing is that you should not be accepting traffic unless you know that there's someone on the other end of the customer relationship that doesn't intend to send illegal traffic and is going to take meaningful action to remove it, if necessary.” — Patrick Crotty
Regardless of whether the source of fraud or unwanted calls is an end-user, a call center, or an upstream provider, the impact on consumers remains significant. Crotty warns that the danger and harassment caused by such calls are equally concerning, regardless of the transmission point, so understanding how your services are being utilized and being able to respond promptly to any changes is crucial. He recommends having a reliable partner on the other side of your customer relationship who will take action to mitigate the negative impact of fraudulent or unwanted traffic to avoid enforcement issues and maintain good standing.
In cases where you receive blended traffic from various sources, Crotty deeply encourages having robust traffic monitoring procedures alongside KYC practices. You can assess if the traffic aligns with the expected use case by analyzing call detail records and examining factors such as call durations. If discrepancies arise or traceback issues occur, KYC processes enable you to verify claims made by your customer and scrutinize the traffic profile for any red flags. Monitoring the traffic, knowing your customers, and eliminating bad sources when you find them (even if it’s coming from one of your customers) are essential steps in maintaining security and reliability, particularly when there is uncertainty about the traffic source.
“It's imperative that you have good traffic monitoring procedures to fill in the gaps with what you can know from Know Your Customer. [...] If you're not sure who your customer's customer is, and you can't verify that assertion, then it's even more important that you be looking at the traffic [and] you need to be verifying that that's actually happened and that they're not just telling you what you want to hear.” — Patrick Crotty
So far, clarity around KYC standards from a consumer protection perspective is challenging because there is no one-size-fits-all approach. Preventing unwanted traffic on your network is adapted over time, as bad actors continually find creative ways to exploit the voice channel for fraud and theft. Patrick Crotty states that the goal is to keep illegal traffic off your network, necessitating a comprehensive understanding of various metrics and aspects of the customer relationship.
He warns that a rigid or formulaic approach won’t be enough; training staff involved in customer relationships to comprehend the significance of different call factors and what to look for is crucial to finding and preventing bad traffic. And a list of checkboxes won’t cut it either; your team needs to understand how to detect attempts to manipulate the system. Those attempting to exploit your services are thieves seeking new and improved ways to abuse consumers and why it’s happening so much on the voice channel; it’s because of anonymity.
“The role of KYC is to try and eliminate that anonymity to the greatest extent possible. [...] Anonymity is great for the fraudster, and it is terrible for everybody else that's either receiving the call or in the call path.” — Patrick Crotty
Anonymity provides a convenient cover for fraudulent actors, making it an attractive space for exploitative activities in an environment conducive to fraud. We agree with Crotty here; we need more KYC for identity verification.
A well-articulated policy alone isn’t sufficient if there is a lack of follow-through. Merely stating that measures are being taken to mitigate robocall traffic without actively monitoring and enforcing consequences isn’t enough, and enforcing the consequences for sending bad traffic is crucial for maintaining credibility.
Crotty went on to say that cases where a company has a good policy but fails to adhere to it are easier to argue in enforcement actions because it implies a disregard for the problem while prioritizing financial gain over compliance. In these cases, fact-finders will assess whether the reasons for not following through on the KYC policy are significant enough to hold the company liable. The importance of consistent follow-through cannot be overstated.
“If you just take it at face value, and you don't monitor and take the other steps that your policy lays out, then it doesn't matter that you have a well-articulated policy. You're not really following through, and you're not making people experience the consequences of sending you bad traffic. The follow-through is the most important thing for me.” —Patrick Crotty
From a regulatory perspective, the FCC’s focus has been on targeting smaller intermediate carriers that act as gateways for illegal robocall traffic, but there are still questions about the expectations and enforcement of KYC processes. Crotty established that the goal isn’t to hinder industry competitiveness but to establish guardrails and assist companies in running businesses that don’t flood the phone network with illegal robocalls and go after those who knowingly allow fraudulent calls on their networks.
“The idea is that there'll be a strong backbone of good providers who are turning away the sources of bad traffic, providing a competitive service that keeps rates down for consumers and are doing things the right way and that bad traffic gets shunted to a hopefully increasingly small number of irresponsible actors.” — Patrick Crotty
The implementation of KYC processes by service providers can help identify and address bad actors, leading to more targeted enforcement efforts. Per his feedback, Patrick shared that assessing industry improvements and trends resulting from KYC implementation is an ongoing task but that the conversations on the topic should continue to monitor progress to encourage more rigorous adoption.
Collaboration within the industry is crucial to address and strengthen areas that require standards. The relationship between standards and laws, especially in the context of KYC, needs to be interwoven. But the diverse nature of this industry makes it challenging to establish a universal set of regulatory criteria. Due to constant changes and various players operating in different niches, finding a single process to classify and identify companies is a difficult task for the FCC. It’s encouraging to see the FCC recommending the implementation of a RObocall Mitigation Plan that includes KYC, regardless of their STIR/SHAKEN status. As Patrick mentioned, the ability to request and compare these standardized documents with actual practices will be a valuable step forward.
There is potential for effective KYC implementation, and recent rounds of filed comments provide insights into trends and predictions in KYC adoption. We hope to look back on this conversation a year from now to see if the industry has improved and how KYC has protected consumers from fraudulent events.
During an earlier panel discussion with representatives from the FCC, a question was raised about the availability of a template or guidance for implementing KYC within organizations. The good news is that a template does indeed exist. Numeracle released a policy guide, "Model Standards for KYC Review," filed as an Ex-Parte with the FCC as a plug-and-play implementation guide for organizations to customize and adapt for their KYC review processes.
It includes criteria, data points, and responsibilities for team members involved in KYC, covering pre-activation requirements, identity verification, intended use and history, end-user versus service provider clients, enhanced due diligence for high-risk clients, and ongoing activity monitoring. Additionally, it provides suggestions for high-risk categories or uses cases and highlights red-flag behaviors that should prompt further review.
Our whitepaper, “Call Record Review Whitepaper,” provides an overview of how organizations can utilize call records to monitor customer activity and combat fraud. It explains the meaning, uses, and limitations of various calling information and metrics, including short-call duration percentages, average call durations, and answer seizure rates. This whitepaper can help identify potentially high-risk or low-risk situations, with suggestions on conducting additional KYC reviews as more than a starting point for internal fraud mitigation discussions within your organization.
“Now, nobody can say they don't know what a KYC policy looks like. Nobody can say, I don't know where to get information on how to do the ongoing monitoring of what red flags look like.” — Rebekah Johnson, Founder & CEO; Numeracle
We know it can be difficult and time-consuming to search for the right KYC or EIM solution provider to partner with. We’re always happy to help answer any questions and provide clarity into the many possibilities, limitations, and success stories of currently available solutions so you can feel confident in choosing the right strategy for your business.
Contact us for more information about Numeracle’s KYC tools and product capabilities. Or, to get started with understanding the fundamentals of deploying, establishing, and performing KYC functions, download our guide.
Patrick Crotty is a Senior Assistant Attorney with the Florida Office of the Attorney General, Consumer Protection Division. Since 2018, he has litigated cases under Florida’s Deceptive and Unfair Trade Practices Act as well as other Federal and State consumer statutes, including cases involving illegal and unwanted phone calls. His practice includes issues related to telecommunications, class actions, and unfair and deceptive trade practices.
Prior to joining the Attorney General’s office, he litigated consumer class actions involving, among other statutes, the Telephone Consumer Protection Act, the Fair and Accurate Credit Transactions Act, and the Fair Debt Collection Practices Act.
He holds a master’s degree in Political Science and a J.D. from the University of Florida and has been a member of the Florida Bar since 2014.