Today I will be participating in two webinars alongside representatives of the Cloud Communications Alliance, Numeracle and the i3Forum as we collectively introduce the i3Forum’s new Know Your Customer Code of Conduct. These are the remarks I have prepared for those webinars.
Last week, a US Secret Service operation seized 300 simboxes and 100,000 SIM cards in New York. 100,000 SIM cards is more than the entire stock of some telcos. An unnamed law enforcement source told the press that this single operation was capable of sending 30 million text messages per minute. Photographs also showed some of the SIM cards had come from an MVNO that does not consistently report how many users it has, but did refer to only having ‘tens of thousands’ of customers at the beginning of this year. The Secret Service explained why they felt the need to urgently intervene, but we also need to examine long-term root causes to tackle crime effectively. Criminals have been able to instigate bulk communications at enormous scale because some communications providers do not know who their customers are. Know-your-customer controls — KYC for short — are vital to reducing crime. It is not just businesses that supply SIMs which need to be responsible for KYC. Other telcos are also carrying very large volumes of automated calls and messages without knowing if their customers can be trusted.
Criminals create business fronts. They want communications providers to believe they are handling legal marketing calls and legal notification messages when they are actually conveying scams. Some communications providers execute robust KYC checks. But trying to stop consumer scams by having only some providers implement robust KYC is as ineffective as trying to stop a flood by building a dam with gaps in it. Crime flows through the gaps. That is why all communications providers need to have consistently robust know-your-customer controls to turn the tide on a deluge of scam calls and messages.
Thankfully, the tide began turning in 2023 with the efforts of two brilliant women at Numeracle, Sarah Delphey and Rebekah Johnson. Sarah Delphey is now at Bandwidth, serving as their Director of Global Trusted Solutions, while Rebekah Johnson helms the growing business she founded as Numeracle’s CEO. They drew upon their considerable practical knowledge of know-your-customer controls to author a model KYC standard which has been freely distributed for anyone to copy. The Cloud Communications Alliance followed up in 2024 by becoming the first major association of communications providers to issue authoritative KYC guidance. Around that time, the i3Forum’s Fight Fraud group, under the leadership of Katia Gonzalez, began drafting a checklist of KYC questions that its members should ask of prospective customers. Having admired the work done by Numeracle and the Cloud Communications Alliance, I made what seemed to me an obvious suggestion: that the i3Forum should draw upon the previous work of Numeracle and the Cloud Communications Alliance so our industry can present a united front against scams, aiming for consistent KYC expectations across all the kinds of communications providers that exist around the world.
Having made the suggestion, it fell to me to perform a task for which I was already well practiced: I used ctrl-c and ctrl-v on my keyboard to copy and paste the expectations described in Numeracle’s model standard, the Cloud Communications Alliance’s guidance, and the nascent i3Forum checklist, into a single draft code of conduct. Fionán Mc Grath of Cellusys made sure I had not mangled the words too much, and then the i3Forum Fight Fraud working group, which contains representatives of many of the world’s largest international carriers, assented to the draft too. My only contribution was to introduce the principle of ‘comply or explain’. This is a corporate governance principle that has become increasingly popular in the last few decades because it delivers consistency in the spirit of requirements while allowing enough flexibility to cope with the differences between businesses. The principle of ‘comply or explain’ works exactly in the way you would imagine: an organization either says it will comply with expectations as they are written or the organization deviates from an expectation by writing its own rule and explaining why it needed to differ from the norm. ‘Comply or explain’ is a transparent way to raise the bar for governance so we can all make progress with improving controls without needing to anticipate every new circumstance.
That is the short history of how the i3Forum’s KYC Code of Conduct came into being. Now we will hear from some genuine experts who will describe the checks that communications providers should perform to ensure they really know their customers.



