[VoiceOps] KYC Verification

Calvin E. calvine at gmail.com
Fri Mar 1 11:46:52 EST 2024 

You make a good point about "KYC as a proxy for fraud mitigation".
Validating a name/address/mobile number might deter the casual
criminals, but a serious threat actor will be equipped to pass the KYC
barriers.

In regards to any regulatory requirements, this is a follow up to a
thread from December, quoted below for reference.

https://puck.nether.net/pipermail/voiceops/2023-December/010278.html

Justin B Newman justin at ejtown.org
Tue Dec 12 17:52:31 EST 2023
>
> I am not a lawyer. Anyone considering offering any VoIP services today
> should have a lawyer well versed in the Act and the associated regulations.
> Starting a VoIP service in the US is no longer an easy or regulation-free
> endeavor.
>
> Within the United States, the TRACED Act required the FCC to establish
> regulations "including by establishing registration and compliance
> obligations, and requirements that providers of voice service given access
> to number resources take sufficient steps to know the identity of the
> customers of such providers, to help reduce access to numbers by potential
> perpetrators of violations of section 227(b) of the Communications Act of
> 1934 (47 U.S.C. 227(b))."
>
> 47 USC 227(b) regulates Automated Telephone Equipment, for what it's worth.
>
> In the December 22, 2020 Caller ID Authentication Best Practices, (WC
> Docket Nos. 17-97 and 20-324, DA-1526), the FCC outlines _voluntary_
> practices for know your customer (KYC), but emphasizes they are voluntary.
> Specifically, they recommend, "Voice service providers should vet the
> identity of retail and wholesale subscribers, in conjunction with (i)
> approving an application for service; (ii) provisioning of network
> connectivity; (iii) entering into a contract agreement; or (iv) granting
> the right-to-use telephone number resources."
>
> But further, 47 CFR § 64.1200(n)(3) requires a provider to, "Take
> affirmative, effective measures to prevent new and renewing customers from
> using its network to originate illegal calls, including knowing its
> customers and exercising due diligence in ensuring that its services are
> not used to originate illegal traffic."
>
> While I can imagine an argument that one has no KYC obligations if not
> supporting outbound, this imposes a clear obligation to perform KYC if
> doing outbound calling. That said, I would be uncomfortable receiving a law
> enforcement request related to a telephone number I issued (inbound only)
> where I was unable to identify the subscriber. Other providers may have
> different risk tolerances, but I do not believe interpreting these as
> requiring KYC for all number issuance to be uber-conservative.


On Thu, Feb 29, 2024 at 11:07 PM Denver Gingerich <denver at ossguy.com> wrote:
>
> On Thu, Feb 29, 2024 at 10:44:20AM -0800, Calvin E. via VoiceOps wrote:
> > A complication here is that it's an extra telephone number privacy service,
> > and blocking VPN users is becoming another  point of "signup friction". Any
> > KYC solution we implement won't be able to assume anything from GeoIP
> > lookup. For example, one of our North America subscribers had no idea their
> > VPN service was reaching us from Saudi Arabia and Armenia.
>
> I guess I'm not sure what your reason is for KYC here.  Do you feel like it's needed by some regulation?  Are you providing phone numbers in countries whose laws require ID if you register a phone number there?
>
> > A further complication is free users that don't provide any billing
> > information.
>
> How do they use your service?  Do they have to install a specific app?  Is it only available from the App Store or Play Store?  There might be billing-info-like properties if so.
>
> > What's the minimum and maximum effort others are putting in to filter out
> > the Donald Ducks and Scooby-Doos?
>
> If you believe there's something required by regulation, then I'd look to the text of the regulation (ideally with a lawyer) to see what efforts that regulation requires.  But I also wonder if you're looking for KYC as a proxy for fraud mitigation, in which case the solutions will be much different.  You can definitely do successful fraud mitigation without any KYC (e.g. where your customers pay with anonymous cryptocurrency or cash).
>
> Denver
> https://jmp.chat/

More information about the VoiceOps mailing list