Skip to content

Know Your Customers, Know Your Traffic: A KYC Strategy for Service Providers

The FCC has set forth stringent Know Your Customer (KYC) requirements for Communication Service Providers (CSPs). And beyond that, it’s just good practice. But what does a comprehensive KYC strategy really look like for a CSP? In this blog, we'll delve into the complexities of KYC compliance, and how to turn it into an opportunity.

In this blog, we will discuss:

 

Understanding US KYC Requirements  

Know Your Customer (KYC) is a critical element for Communication Service Providers (CSPs) in today's digital age. With the rise of cyber threats and fraudulent activities, KYC serves as a first line of defense for CSPs.

The Federal Communications Commission (FCC) has made combating illegal robocalls a top priority. Voice service providers are now required by the FCC to implement the caller ID authentication framework known as STIR/SHAKEN on their IP networks. This framework allows voice service providers to verify that the caller ID information transmitted with a call matches the caller's number.

KYC enables CSPs to verify the identity of their customers through a series of checks and validations. This is particularly important in the context of STIR/SHAKEN call authentication frameworks, which are designed to protect subscribers from unwanted and illegal calls. The FCC mandates almost all types of providers in the potential call chain to implement STIR/SHAKEN on their IP networks. The framework relies on the use of digital "certificates" issued through a neutral governance system to maintain trust and accountability among providers.

Furthermore, CSPs should be authenticating calls with varying levels of attestation. This is essentially ranking the confidence level the CSP has in the caller's identity. For instance, level A attestation is used when the CSP can confidently attest that the end-user initiating the call is authorized to use the telephone number-based caller identity associated with the calling line or account.

But KYC is not just a regulatory requirement; it's a crucial element of robocall mitigation. By knowing who callers actually are, both a CSP and the end user can better identify and filter out fraudulent activities. Illegal robocalls cost Americans over $3 billion annually just in lost time — not even counting the fraud — and KYC can help identify  and stop robocalls. (Did you know? A study by the Alliance for Telecommunications Industry Solutions (ATIS) found that robocalls make up approximately 45% of all calls in the U.S.)

And with robocall-related customer service calls costing CSPs more than $10 per call, reducing robocall traffic on CSP networks can save millions for CSPs.

Moreover, providers must authenticate caller ID information for all SIP calls originating on their networks that they will pass to another voice service or intermediate provider. This ensures a robust system of checks and balances, making sure that providers can trust one another based on the certificates transmitted along with STIR/SHAKEN-authenticated calls.

The FCC has been enforcing these rules strictly. In fact, in late 2022, for the first time they cut off a voice service provider from other networks, with the claim that the network failed to meet the FCC’s spam protection requirements.

A KYC Strategy For CSPs

 

But a comprehensive KYC strategy for CSPs must go beyond mere compliance. It needs to be functional for both the CSP and the consumers/users. Here are some key components for CSPs to consider in their KYC strategy:

  1. Monitor & Analyze: Advanced analytics tools, in coordinating with a range of data about your client’s usage patterns, can now be processed with AI/machine learning algorithms that identify patterns indicative of fraud or illegal activities. By proactively monitoring usage behavior, you can take rapid action against suspected fraud.
  2. Unsilo your efforts: Often, the IT team is separated, to some extent, from management, legal, security, and employee training programs. Yet, for the most effective defense, these need to be in coordination — even if it’s only periodic management meetings.
  3. Collaborate with Authorities: Regulatory bodies like the FCC are continually updating KYC and anti-fraud regulations. By working closely with these organizations – and your legal team – you can ensure that your KYC processes are always up-to-date. Collaboration can also provide you with insights into emerging fraud tactics and how to combat them.
  4. Employee Training: Your employees are on the front lines of your KYC efforts. Regular training programs can educate them on the latest KYC regulations, the importance of KYC, and how to handle sensitive customer data. Make sure to include real-world scenarios and role-playing exercises to prepare them for any situation.
  5. Regular Audits: Conducting regular audits of your process is crucial for maintaining the integrity of your KYC processes. When was your last comprehensive look at your KYC process?
  6. Technology Investment: Investing in technology is one potential key to a successful KYC processes for CSPs. That could be budgeting properly for your cybersecurity department, investing in new equipment, or funding a phone services partner.
  7. Find the Right Partner: Often, a partner organization can provide significantly better KYC protection — and expand it beyond just KYC — than a CSP trying to bring the project in-house. Look for platforms that offer automated KYC solutions, including real-time number verification and ratings, AI/ML processing, and more. Consider their APIs and your needs. Look at partners — such as YouMailPS — that have billions of data points that you would not otherwise have access to. Consider partners that will score your calls based on the risk of fraud, legality, and spam.

The downsides are clear — from simply losing customers, all the way to having your CSP shut down. It’s time to implement a comprehensive strategy which includes integrating various teams, budgeting, and a push from management on down to eliminate robocalls and fraud starting with KYC.

 

Turning KYC Into An Opportunity

KYC is crucial for ensuring security and compliance. But it also comes with its set of challenges. One of the significant challenges is the inability of non-IP networks to participate in the STIR/SHAKEN framework. This limitation creates a gap in the caller ID authentication scheme, decreasing the efficacy of the technology on the network and providing an opportunity for exploitation by bad actors.

Any spammer will tell you there are dozens of ways to defeat STIR/SHAKEN protocols — from IP spoofing, VPNs and proxies, stolen identities, even US-based phone numbers controlled remotely. There are even relatively simple ways to allow a scammer to procure an IP address based in the US, as well as correlate a phony mailing address with it.

So, while the FCC is actively working on closing these loopholes, CSPs need to go beyond KYC to stop unwanted robocalls. It's an opportunity for smart CSPs to better understand their customers and improve their services.

The smartest CSPs are also protecting against spamming, phishing, and vishing attacks. They’re monitoring behavior patterns with AI and shutting down fraudulent behaviors. They’re using sophisticated databases with billions of datapoints and very clear “fraud fingerprints.” And they’re using highly sophisticated content analytics — examining voice messages across millions of calls, determining which are spam/illegal, and then adding those fingerprints to the database, to immediately catch the bad actor anywhere and anytime they call again.

This, as a whole, can lead not only to increased regulatory compliance, but to increased customer loyalty and potentially new revenue streams.

KYC is not just a regulatory hurdle; it's an opportunity for CSPs to deepen their understanding of their customer base and improve the quality of their services. A well-implemented KYC strategy can turn compliance into a competitive advantage.

Interested in taking your KYC strategy to the next level? Reach out today to experts in the field to ensure you're not just compliant, but also competitive. >

Download Whitepaper