FCC Proposes Significant Expansion of Know-Your-Upstream Provider and STIR/SHAKEN Requirements
On May 20, 2026, the Federal Communications Commission (FCC or Commission) adopted a Further Notice of Proposed Rulemaking (FNPRM) proposing significant changes to its know-your-upstream-provider (KYUP) requirements. This is a complex item that proposes changes to the FCC’s rules in a number of areas related to robocall mitigation—ranging from KYUP obligations, the Secure Telephone Identity Governance Authority (STI-GA), and STIR/SHAKEN call authentication. In a significant shift from prior FCC involvement, the Commission proposes greater oversight over STIR/SHAKEN call authentication requirements. The FCC’s proposals would impose new substantive requirements on the voice ecosystem and have significant implications for all voice service providers (VSPs) throughout the call path.
Comments and reply comments are due 30 days and 60 days after publication in the Federal Register, respectively.
We provide a brief overview of the FNPRM below.
The FNPRM Proposes Prescriptive Changes to the FCC’s KYUP Requirements, Including Substantial Information Collection and Verification Requirements.
Specific KYUP Requirements. The Commission proposes five categories of “baseline” measures that VSPs must follow to know their upstream provider: information collection, compliance review, information verification, monitoring, and responsive action. Specifically, the FNPRM proposes that VSPs perform the KYUP requirements under the following circumstances:
- Before entering into a service agreement with a new upstream provider;
- Before renewing or renegotiating an agreement with an upstream provider; and
- At any other time the VSP “finds, receives, or is made aware of information or evidence concerning an upstream provider.”
The proposals also seek to strengthen the baseline KYUP requirement in the FCC’s existing rules to require that each VSP take “affirmative, effective measures to prevent an upstream provider from using its network or services to transmit illegal calls, including knowing its upstream provider.”
KYUP Information Collection. The Commission seeks comment on whether to require VSPs to collect certain information directly from their upstream providers including general business information (i.e., name and address), financial information, internet commercial presence information, ownership and affiliate information, operational information (i.e., corporate formation records), and service information (i.e., type of service offered and whether the provider relies on non-Internet Protocol (IP) technology).
KYUP Compliance Review. The FNPRM also seeks comment on requiring that VSPs perform due diligence of upstream providers’ compliance with the Commission’s rules by confirming that the upstream provider has a complete and compliant Robocall Mitigation Database (RMD) filing; confirming that the provider has obtained a Service Provider Code (SPC) token if it certified to full or partial STIR/SHAKEN implementation; and by making certain determinations, including whether the provider appears on the to-be-created Foreign Adversary Control System or the Covered List, whether the upstream provider has been subject to an FCC license revocation, and whether the upstream provider has been subject to any other final or preliminary Commission enforcement action.
The FNPRM also proposes to require that VSPs evaluate an upstream provider’s traceback history, including failed traceback responses, and whether the upstream provider has mechanisms to ensure its own customers, upstream providers, clients, employees, and contractors comply with federal and state laws and regulations concerning unlawful calls.
KYUP Information Verification. The FNPRM proposes rules that would require VSPs to “conduct at least a basic level of due diligence” to verify the validity and authenticity of the upstream provider, including actions such as confirming that telephone numbers and email addresses are active; having a verbal communication with one or more natural person principals, owners, or company leaders; and conducting general research to identify risk factors or contradictory information.
KYUP Monitoring & Responsive Action. The Commission also seeks comment on whether to require VSPs to implement baseline monitoring obligations such as regularly checking compliance with FCC rules, using call analytics to identify illegal or suspect calls, and timely evaluating evidence that an upstream provider is not complying with FCC requirements.
The FNPRM further proposes to require VSPs to implement measures to refuse and discontinue service in certain circumstances. These scenarios include, but are not limited to, when the results of information collection or monitoring do not demonstrate that an upstream provider is authentic, or when the upstream provider does not have an RMD filing, transmits calls in IP but does not have an SPC token, appears on the to-be-created Foreign Adversary Control System or Covered List, has had an FCC license revoked, or has been the subject of any other Commission enforcement action.
Use of Third-Party KYUP Services. The FNPRM proposes to allow VSPs to use third-party services to conduct some or all of their proposed KYUP obligations.
Recordkeeping. Finally, the FNPRM proposes to require VSPs to retain the KYUP information they collect for each upstream provider for a minimum of 4 years to cover any potential statute of limitations. The FNPRM also asks whether VSPs should be subject to compliance reviews or independent audits, and the potential for reporting audit findings directly to the FCC.
In a Departure From Prior FCC Policy, the FNPRM Proposes to Increase Regulatory Oversight of the STI-GA and STIR/SHAKEN Attestation Requirements.
STI-GA Oversight. The FNPRM proposes to require that the STI-GA update its SPC token issuance policies and Certificate Authorities selection process within six months after any rules go into effect to “restore trust in the STIR/SHAKEN framework[.]” Specifically, the Commission proposes to require that the STI-GA modify its SPC token issuance policy to include all of the proposed KYUP information collection, compliance review, and verification requirements. The FNPRM also asks whether the FCC should require the STI-GA to deny an SPC token when there is a reasonable basis for believing the SPC token holder is unlikely to comply with STIR/SHAKEN.
The FNPRM explains that the STI-GA has not established a written policy for the selection of Certification Authorities and proposes to require the Governance Authority to follow certain KYUP requirements to vet entities seeking to become Certification Authorities prior to their selection. The FNPRM also proposes to apply these requirements to existing Certification Authorities.
The FNPRM proposes that the STI-GA establish information-sharing requirements with the Industry Traceback Group and call analytics providers to receive information about specific providers’ practices, as well as a process to accept information about Certification Authority practices from stakeholders.
Lastly, the FNPRM proposes to allow parties to appeal STI-GA decisions to the Commission and to require that the STI-GA report to the Commission on a quarterly basis information about its enforcement activity.
STIR/SHAKEN Attestation Requirements. The FNPRM proposes to codify the 3 attestation levels (A, B, and C) and the criteria that apply to each level. The FNPRM also proposes the following requirements related to call origination:
- For a VSP to satisfy the requirement that it is responsible for the origination of a call on the IP network, it must meet the proposed definition of “origination” as “the technological act of placing a customer’s outgoing call onto the network using the [VSP’s] own facilities.”
- For an originating service provider (OSP) to satisfy the requirement that it have a direct, authenticated relationship with the customer associated with the call and be able to identify the customer, it must satisfy any KYC or KYUP requirements established by the Commission.
- An OSP may establish a verified association between its customer and the telephone number used when the OSP assigned the telephone number to the customer.
The Commission proposes to define an “improper attestation” as any attestation level that does not conform to ATIS-1000074 and the Commission’s rules. The FNPRM proposes to prohibit providers from assigning a higher or lower attestation than permissible under the STIR/SHAKEN standards and any FCC rules or using any other information or standards to set attestation levels.
Finally, the FNPRM proposes a number of definitional changes to existing terms in the FCC’s rules—some of which may have potential regulatory implications for VSPs throughout the call chain.
***
This is a wide-ranging item with significant implications for providers across the voice ecosystem. Wiley has a deep and experienced robocalling bench, with our experts handling federal and state policy issues, compliance with federal and state requirements, and complex TCPA issues. For more information or assistance with responding to the new FNPRM, please contact one of the authors listed on this alert.
