[VoiceOps] Consumer KYC Requirements

[Justin B Newman]

I am not a lawyer. Anyone considering offering any VoIP services today
should have a lawyer well versed in the Act and the associated regulations.
Starting a VoIP service in the US is no longer an easy or regulation-free
endeavor.

Within the United States, the TRACED Act required the FCC to establish
regulations "including by establishing registration and compliance
obligations, and requirements that providers of voice service given access
to number resources take sufficient steps to know the identity of the
customers of such providers, to help reduce access to numbers by potential
perpetrators of violations of section 227(b) of the Communications Act of
1934 (47 U.S.C. 227(b))."

47 USC 227(b) regulates Automated Telephone Equipment, for what it's worth.

In the December 22, 2020 Caller ID Authentication Best Practices, (WC
Docket Nos. 17-97 and 20-324, DA-1526), the FCC outlines _voluntary_
practices for know your customer (KYC), but emphasizes they are voluntary.
Specifically, they recommend, "Voice service providers should vet the
identity of retail and wholesale subscribers, in conjunction with (i)
approving an application for service; (ii) provisioning of network
connectivity; (iii) entering into a contract agreement; or (iv) granting
the right-to-use telephone number resources."

But further, 47 CFR § 64.1200(n)(3) requires a provider to, "Take
affirmative, effective measures to prevent new and renewing customers from
using its network to originate illegal calls, including knowing its
customers and exercising due diligence in ensuring that its services are
not used to originate illegal traffic."

While I can imagine an argument that one has no KYC obligations if not
supporting outbound, this imposes a clear obligation to perform KYC if
doing outbound calling. That said, I would be uncomfortable receiving a law
enforcement request related to a telephone number I issued (inbound only)
where I was unable to identify the subscriber. Other providers may have
different risk tolerances, but I do not believe interpreting these as
requiring KYC for all number issuance to be uber-conservative.

Yours,

-jbn

On Mon, Dec 11, 2023 at 1:27 PM Calvin E. via VoiceOps <
voiceops at voiceops.org> wrote:

> Hey fellow voice operators,
>
> Which regulations, laws, etc. require a carrier to collect "know your
> customer details" before/when a TN is assigned to a subscriber? I need some
> specific references to cite, if they exist.
>
> The two contexts are 1) numbers assigned for inbound-only service
> (forwarding or voicemail) and 2) smartphone app based VoIP lines for both
> inbound and outbound calls (which also support forwarding). Only a
> proprietary app is supported, no registration from softphones or other
> devices.
>
> Yes, it's the same old "signup friction" versus "doing the right thing"
> argument. The app supports app store "in-app purchases", and those app
> stores do not share detailed billing information to use for KYC. We're
> forced to prompt the user to provide personal information, and some
> demographics aren't comfortable doing this without a clear reason.
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20231212/a2b76cfa/attachment-0001.htm>