Talk to an expert →
← Back to blog
US Compliance

The FCC's Know-Your-Customer overhaul: what the proposed $2,500 per-call forfeiture means for originating providers

IT
Infinititel Team
July 2026 · 9 min read

On 30 April 2026, the FCC adopted a Further Notice of Proposed Rulemaking that would turn its long-standing but vague "Know Your Customer" (KYC) requirement for originating voice providers into a detailed, prescriptive rulebook — backed by a proposed $2,500 per-call forfeiture for violations. Comments closed on 25 June 2026, and reply comments are due 27 July 2026 — three weeks from now. Nothing here is final law yet, but the direction is unmistakable, and the record already includes a real enforcement case that shows what "enhanced KYC" looks like in practice.

This article works from the FCC's own text — the Further Notice of Proposed Rulemaking itself (FCC 26-27, CG Docket Nos. 17-59 and 02-278) — not secondary summaries.

The existing rule, and why the FCC thinks it isn't working

Since 2020, FCC rules have required every originating voice service provider to "take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic" (47 CFR § 64.1200(n)(4)). Note the scope: this obligation applies specifically to originating providers — the FCC has not mandated specific steps, instead leaving providers to determine what measures work for their business.

The Commission's own view, stated plainly in the FNPRM, is that "some originating providers do not do enough." Chairman Carr's statement accompanying the item is blunter still: "some do the bare minimum (or worse) and have become complicit in illegal robocalling schemes."

The Lingo Telecom case: what "enhanced KYC" already looks like

The FNPRM leans heavily on a real 2024 enforcement matter. The FCC found that Lingo Telecom, LLC, "in a failure to utilize reasonable 'Know Your Customer' (KYC) protocols, applied incorrect STIR/SHAKEN attestations to spoofed robocalls." As part of the resulting consent decree, Lingo agreed to obtain the following from its customers going forward:

The FNPRM cites this consent decree repeatedly as the template for what it now proposes to make a general industry requirement — worth reading as a preview of where the final rule is likely to land.

What the FNPRM proposes to require from every originating provider

Minimum information for all new and renewing customers

The FCC seeks comment on requiring originating providers to obtain and retain, at minimum, before granting a customer access to service: name, physical address, a government-issued identification number, and an alternate telephone number.

Additional information for high-volume customers

For high-volume customers — including business and foreign customers — the FCC seeks comment on also requiring collection of the intended use of the service (marketing, education, political campaign, etc.) and the IP address from which each call will be placed, where applicable. The Commission has deliberately not defined "high-volume," continuing its existing flexible approach that leaves the threshold to each provider's judgment based on its own service offerings and customer base.

What counts as a "physical address"

The FCC is specifically asking whether it should exclude virtual addresses, shared office locations without a dedicated suite or floor, P.O. boxes, mail forwarding services, and hosted servers from qualifying as a physical address — on the basis that these are "inadequate to confirm the identity of a customer and often used by bad actors to conceal its identity."

Verification, not just collection

For high-volume customers specifically, the FCC seeks comment on requiring verification through supporting records: corporate formation records, proof of good standing, confirmation that the phone number provided is the customer's current active number, third-party records corroborating the physical address, and verification of commercial presence.

The red flags the FCC has already identified

The FNPRM sets out a specific list of "red flags" that it tentatively concludes should trigger closer verification. Quoted directly from the Commission's own text, these are:

Re-verification triggers

The FCC seeks comment on requiring re-verification of a customer's KYC information when traffic patterns or other red flags suggest illegal calling — for instance, a domestic US company whose traffic suddenly appears to originate from a foreign-based IP address, or a dormant account that suddenly reactivates and starts sending large call volumes. As an alternative, the FCC also asks whether periodic re-verification (for example, annually) should apply regardless of any specific trigger.

Record retention

The FCC proposes requiring originating providers to retain KYC information and supporting records for four years following termination of the customer relationship — matching the four-year statute of limitations that applies to spoofing or intentional violations under section 227(b) of the Communications Act. For comparison, the FCC's own FNPRM notes that the equivalent retention period in the banking sector, under Treasury's Customer Identification Program rule, is five years.

Enforcement: a $2,500 per-call forfeiture

This is not a vague proposal — the FNPRM's own draft rule text (Appendix A) amends the FCC's forfeiture schedule at 47 CFR § 1.80(b)(11) to add a new line item: "Per call Know Your Customer violations — $2,500." The Commission explains its reasoning directly: a per-call basis "best correlate[s] penalties to the volume of illegal calls made, and thus the harm caused by any one caller," rejecting a flat per-customer fine as insufficient because it "would result in a single base forfeiture regardless of the number of illegal calls made by the customer." For a customer generating meaningful call volume, this could scale into a very large exposure very quickly — and the base amount can be adjusted upward under the Commission's existing forfeiture factors (egregiousness, intent, harm, economic gain, repeat violations, prior compliance history).

A possible safe harbor for AI and automated compliance tools

The FCC is also asking whether, instead of prescriptive rules, it should issue baseline KYC guidance that functions as a safe harbor — and specifically whether using an accredited third party to verify customer identity, or deploying "effective AI or automated systems that satisfy KYC objectives by identifying bad actors and preventing illegal calls," should qualify a provider for that safe harbor. The Commission asks directly whether AI and automated technologies are already being used for KYC compliance today, and how their effectiveness compares with traditional document-based verification.

A companion proceeding: Know Your Upstream Provider (KYUP)

Three weeks after adopting the KYC FNPRM, the FCC adopted a related but separate Further Notice of Proposed Rulemaking on 20 May 2026 (FCC 26-32, WC Docket No. 17-97 and CG Docket No. 17-59), addressing a companion obligation that already exists at 47 CFR § 64.1200(n)(5): the requirement that every voice service provider — not just originating providers — take reasonable and effective steps to ensure that any upstream provider it directly receives traffic from is not being used to carry illegal traffic.

The KYUP FNPRM proposes to strip the "high volume" qualifier from that existing rule, extending the obligation to cover illegal calls of any volume, and sets out detailed proposed baseline measures across five categories: information collection, compliance review, verification, ongoing monitoring, and responsive action (refusing or discontinuing service under an "objectively reasonable" standard, with five business days' notice). For a wholesale carrier that both buys and sells termination capacity, this proceeding is arguably more directly relevant than the KYC FNPRM itself, since it speaks to carrier-to-carrier relationships rather than only end-customer onboarding.

As of the KYUP FNPRM's release, comment and reply comment deadlines had not yet been set — they will run 30 and 60 days respectively from the item's publication in the Federal Register, which had not occurred at time of writing. We will cover the KYUP proceeding in more detail once those dates are confirmed.

What this means for wholesale operators right now

Nothing in either proceeding is binding law today — both are Further Notices of Proposed Rulemaking, meaning the FCC is still gathering comment before deciding on final rules. But two things are worth acting on now rather than waiting:

Given the 27 July 2026 reply comment deadline on the KYC FNPRM, industry associations and individual carriers are actively shaping what the final rule will look like right now. Providers with views on proportionality — particularly around the undefined "high-volume" threshold and the treatment of smaller originating providers — still have a window to be heard before the record closes.

Note

This article is for informational purposes and does not constitute legal or regulatory advice. Both proceedings discussed are proposed rules under active FCC comment periods, not final regulations, and their content may change materially before adoption. Consult a qualified telecommunications lawyer for advice specific to your situation. Primary sources: FCC 26-27 (adopted 30 April 2026, released 1 May 2026) and FCC 26-32 (adopted 20 May 2026, released 21 May 2026), CG Docket Nos. 17-59 and 02-278, and WC Docket No. 17-97.