Table of Contents
The FCC wants to fine voice providers $2,500 per call for not knowing their customer or that customer’s traffic. In its most specific KYC proposal yet, the Commission lays out what originating providers should collect, verify, retain, and re-check before illegal calls hit the network.
The Commission is finally defining what KYC should mean in practice, while attaching real financial exposure to getting it wrong.
What
Originating providers should collect four basic pieces of information from new and renewing customers before granting service: name, physical address, government-issued identification number, and an alternate phone number.
For higher-risk customers, including high-volume callers, the NPRM asks whether providers should also collect intended use information and the IP address from which calls will be placed, where applicable.
The NPRM would add a $2,500 per-call base forfeiture for KYC violations to the FCC’s penalty table. Separate base forfeitures already exist for other violations, but the draft does not clearly say they automatically stack in a KYC case.
The notice also asks whether providers should verify that information with supporting records, retain it for four years after the customer relationship ends, and re-verify it when unusual traffic patterns or other red flags emerge.
Additionally, with this notice, the FCC considers whether stronger KYC could help address abuse in text messaging networks, including fraudulent SMS tied to SIM boxes and bulk SIM activation.
Sidebar: The Telnyx Problem
This NPRM arrives after the FCC had already started testing its KYC theory through enforcement. In February 2025, the agency proposed a $4,492,500 forfeiture against Telnyx over apparent KYC failures tied to illegal government-impersonation robocalls. That action was a Notice of Apparent Liability, not a final order, but it put the agency’s KYC theory into the spotlight.
The tension was straightforward. The FCC already had rules requiring originating providers to take affirmative, effective measures to know their customers and prevent illegal traffic. But when the Commission adopted that rule in 2020, it also said providers could comply in a number of ways rather than prescribing a fixed checklist. That left the market with a broad standard, real enforcement risk, and a lot of discretion in between.
Telnyx argued the FCC was effectively turning that standard into strict liability without fair notice, and other industry commenters made similar regulation-by-enforcement arguments.
You do not have to agree with Telnyx to see the gap. The FCC had authority to enforce KYC. What it had not yet done was spell out, in one place, what stronger KYC should look like operationally. This NPRM is an attempt to close that gap.
So What
This is the FCC trying to turn a vague KYC obligation into a more explicit operating model for trust and identity.
In practice, it means more document collection, more verification, more retention, more re-checks, and more policy decisions about who gets approved, who gets escalated, and who gets cut off.
Collecting documents is easy, verifying and validating them at scale is harder. If that work is not handled with reliable automation and clear decisioning, KYC can quickly become a job-justification exercise spread across multiple companies. My job is to make sure you’re doing your job by repeating your job. The process grows without improving trust.
And even if the documents are valid, the harder question remains: what do you do with a customer who is technically verified but still risky? A Florida LLC may be valid on paper and still deserve closer scrutiny. A government ID may match. The alternate phone number may work. None of that settles whether the customer should be trusted with high-volume origination. At some point, KYC becomes less about document verification and more about policy enforcement and policy escalation. Reputation, in cases like that, has to be earned over time, not assumed on day one.
The FCC expects the proposal to affect a substantial number of small entities and asks how to reduce compliance burdens on smaller providers. In other words, they understand some providers will absorb it more easily than others and want to know from the smaller players.
Now What
Providers should not wait for the final rule to start pressure-testing their KYC posture. Teams should be asking now whether they can verify what they collect, whether they can tie customer identity to actual traffic patterns, and whether they can show their work if the FCC comes knocking.
Now is the time to identify where manual processes, weak recordkeeping, or thin monitoring could become expensive later. Smaller players are likely to feel this burden faster than the larger platforms.
The text messaging questions in the NPRM are worth watching closely by everyone in messaging, not just voice. The FCC may be proceeding through robocall and voice authority, but it is plainly asking whether the same trust failures show up in SMS abuse too.
Finally
On the surface, the requirements seem simple. Collect four pieces of data. Verify them and the stated use case. Keep watch, then escalate or stop when something goes haywire. But as Stuart Butterfield puts it, if you think it’s simple, you don’t understand it well enough. This proposal will test every voice provider in the market, over time, pushing many platforms and CPaaS providers deeper into identity, verification, and risk operations, whether they like it or not.