Overview
On May 1, 2026, the Federal Communications Commission (FCC) released a Further Notice of Proposed Rulemaking (FNPRM) proposing to strengthen and clarify its existing “Know Your Customer” (KYC) obligations for originating voice service providers, which the FCC adopted by a unanimous 3-0 vote at its April 30 Open Meeting.
On May 20, 2026, the FCC followed with a companion “Know Your Upstream Provider” (KYUP) FNPRM proposing new requirements designed to hold all voice service providers in the call path, not just originating providers, accountable for keeping bad actors off U.S. voice networks. While the KYC proposal focuses on originating providers and their end-user customers, the KYUP proposal extends due diligence obligations across the call path by requiring downstream providers to vet the upstream providers from which they accept traffic. Together, the proposals reflect the FCC’s broader effort to combat illegal robocalls throughout the voice ecosystem.
Five Categories of Baseline KYUP Measures
The FCC proposes five categories of baseline measures that providers must follow to fulfill their KYUP obligation:
- Information Collection
Voice service providers would be required to collect key business, financial, ownership, operational, and service-related information from upstream providers, including company identity and contact details, ownership structure and regulatory history, business registration information, and the types of services and customers served. - Compliance Review
Providers would need to confirm that an upstream provider has a filing in the Robocall Mitigation Database (RMD), has obtained a Service Provider Code (SPC) token if it certified STIR/SHAKEN implementation, does not appear on the Foreign Adversary Control System or the Covered List, has not had a Commission license revoked, and has not been the subject of final or preliminary Commission enforcement actions. - Information Verification
The FCC proposes requiring providers to perform basic due diligence to verify upstream providers, including confirming active phone numbers and email addresses, communicating verbally with one or more natural person principals, conducting research to identify risk factors (such as suspicious physical addresses or AI-generated photos on a website), and conducting a comparative analysis to identify inconsistencies. - Monitoring
Providers would be required to regularly check upstream providers’ ongoing compliance, use call analytics on an ongoing basis to identify illegal or suspect calls, and evaluate on a timely basis any information or evidence that an upstream provider is transmitting illegal calls, failing to authenticate calls, or authenticating calls with improper attestations. - Responsive Action
Providers would be required to refuse or terminate service if their KYUP review does not reasonably establish that an upstream provider is legitimate or indicates the provider is likely transmitting illegal calls.
Enhancing STIR/SHAKEN Oversight and Attestation Standards
The KYUP FNPRM also proposes codifying STIR/SHAKEN attestation levels (A, B, and C), establishing requirements for meeting attestation criteria, and prohibiting improper attestations. It would eliminate remaining undue hardship extensions for STIR/SHAKEN implementation and require all providers serving end users to make attestation-level decisions.
The FCC also proposes requiring the STIR/SHAKEN Governance Authority to update its SPC token access policy to incorporate KYUP compliance and verification requirements, take a more active role in identifying SPC token misuse, and coordinate with the Industry Traceback Group and call analytics providers on enforcement efforts.
Closing STIR/SHAKEN Loopholes
The KYUP FNPRM proposes to clarify definitions that govern providers’ STIR/SHAKEN implementation obligations, including revised definitions for “Voice Service” and “Voice Service Provider,” “Origination” and “Originating Provider,” and “Intermediate Provider,” “Gateway Provider,” and “Non-Gateway Intermediate Provider.” The proposals would also ensure that calls arrive at their destination with authentication information by prohibiting intentional call routing to strip such information and requiring blocking of unauthenticated calls.
Implementation Timeline
The draft KYUP FNPRM proposes that any new rules go into effect 12 months after Federal Register publication of a Report and Order, or 30 days after OMB approval for rules containing new or modified information collections subject to the Paperwork Reduction Act. Providers would also be required to perform a one-time KYUP review for all existing upstream provider relationships within six months after the rules take effect.
The comment periods for both proceedings will begin upon publication of the respective FNPRMs in the Federal Register. Stakeholders considering filing comments should begin assessing their current KYC and KYUP practices now to identify gaps and inform their positions.
This client alert is not intended to serve as or replace traditional legal advice.
Scale’s Communications & Technology Team
Our Communications & Technology team advises companies at the intersection of innovation and regulation. We work with telecommunications providers, infrastructure companies, and technology platforms to navigate complex federal and state frameworks, execute strategic transactions, and manage day-to-day regulatory demands.
