Cease to resist, giving my goodbye
Drive my car into the ocean
You’ll think I’m dead, but I sail away
On a wave of mutilation
This is the final Commsrisk article. The website will continue to host the Commsrisk Global Fraud Dashboard under the stewardship of James Greenley, the software engineer who created it, for as long as he can find financial backers to support that work. Presenting reams of objective data compiled from varied international sources is the best way to build on the platform constructed during the first two decades of this website. Facts and figures need to rule; words are too messy and too easily twisted. My regular narratives about the communications sector end now, not with regret, but with pleasure. I am glad to be released to live a different life to the one that has consumed so much of me.
Life is short. There is much to explore during our brief existence as conscious entities. Last night was spent listening to Pixies perform at the Royal Albert Hall and I am increasingly focused on the preparations for an upcoming hike along Alta Via 1 in the Dolomites. Do not worry if some of the words in the last sentence seemed strange. They mean that I already decided to spend less time at a keyboard and more time doing things that bring me joy. Fighting arseholes who work in ‘public policy’ roles for telcos does not bring me joy although much of the tail end of my career has been wasted by these people. For decades, they took no interest in fraud or other criminal activities that occurred on networks. Now they seek to dominate global decisions about how to tackle fraud because consumer scams have reached the point where even the laziest government wants something done to reduce them. The intervention of a herd of people who know nothing about fraud is the worst possible double-whammy for both the public and the real experts who should be leading the fight against networked crime:
- Minimizing the number of people employed by telcos to tackle crime because shedding jobs is the top priority of current telco executives. Public Policy departments serve the same master as Human Resources departments: they find ways to enable mass redundancies because telco executives deem job cuts to be vital to maintaining profitability as revenues decline. They no more care about your job than they care about the reasons why phone scams got out of control. Their mantra is to resist, resist, resist government intervention even when it is vital to restoring trust. We actually need government intervention because only governments can force telcos to hire and promote the staff needed to reduce scams.
- Buying gimmicky ‘systems’ to tackle fraud because this has no impact on headcount but will appease governments who can claim a one-off ‘victory’ against scams. These purchases are followed by years of bullshit about the system being successful even though it failed due to a lack of human experts challenging the way it was designed and implemented. The US adoption of STIR/SHAKEN is the exemplar for this failure. Both the US government and public policy zombies continue to pretend STIR/SHAKEN has been a success, even though half a billion dollars of telco expenditure went into a system that did nothing to prevent scam losses skyrocketing in the 5 years since it was implemented. Stooges produce deliberately misleading statistics to disguise the collective failure in the USA because vendors make more money by selling one ineffective system after another than by actually reducing crime.
- It was not a One Consortium meeting.
- I was not representing Oculeus.
There is one area in particular that is doomed to fail because of this two-pronged madness: know-your-customer (KYC) checks. Only a human being can have the instincts, the freedom to deviate from a predefined course of action, and the imagination required to keep pace with the way criminal enterprises will cheat KYC checks. But instead of tackling the root cause of scam failure — most obviously in the case of STIR/SHAKEN, which was built upon shoddy KYC controls — we have committees comprised of people who are desperate to pretend that KYC can be improved without hiring and training people to continuously fine-tune KYC. They use the excuse that KYC must be flexible to argue for the least enforceable, lowest common standard for KYC behavior. We really need the kind of flexibility and harmony that comes from telcos working together to pursue a high standard for KYC that all must accomplish together, and for that high standard to be continually re-tuned to reflect how criminals change their methods.
The only people who could argue for truly robust KYC are senior anti-fraud professionals. And therein lies our problem. Fraud management has been so undervalued for so long that many telcos do not have a senior anti-fraud professional. Some of us got older; few rose in terms of power or influence. I reported to the board of Qatar Telecom but left because I was frustrated with my lack of influence. That was 13 years ago. Then I tried different ways to pursue needed change. Now I am retiring from Commsrisk after admitting my final defeat… or perhaps my final victory. You will need to keep reading to understand.
If I am frustrated with the lack of change in this industry then imagine how much change will ever be effected by the typical American junior manager. In Qatar, I had the opportunity to lobby members of the royal family directly. The typical American fraud manager will be lucky to speak to an actual decision-maker once a year. The difference between senior and junior management is not just measured in wages. It is shown in the freedom to make decisions in order to pursue goals. Consider the clown who still runs fraud management at AT&T. He once wrote an affidavit that said his team’s global fraud hotline had been put out of service because a fraudster made two phone calls to it. What is the seniority of a telecoms manager whose ‘hotline’ cannot handle three phone calls?
We need genuinely senior anti-fraud leaders to drive the fight for better KYC because junior managers are afraid to do anything but follow orders. They are forced to treat KYC as a box-ticking exercise, and as a cost to be minimized. We need people with the experience, imagination and freedom to deviate from a series of prescribed KYC checks if their instincts show it is necessary. They need to be free to talk about crime with counterparts and the authorities, even if it means admitting that mistakes were made in their own business. The confidence to do these things only comes with seniority. We will not get it from junior managers. And we will not get it from Americans, because there are no senior fraud managers in the USA. They only have corporate puppets who say little because the few that really know what they are doing are conscious of the punishment they will receive if they spoke freely.
So if you are tired of reading — and I can hardly blame you, because I am tired of writing — then stop after I make the following point. Somebody needs to demand the recruitment of senior antifraud managers who will push for much more robust KYC than has been the norm in telecoms. That somebody needs to be somebody like you, because I will not do it any more. Doing it involves maintaining a hawk-like eye on powderpuff industry associations like One Consortium who produce many fine words but have delivered nothing that changes the number of people that telcos hire to fight crime, and nothing that changes the seniority of the existing crimefighters within those telcos. They use the word ‘robust’ to describe KYC when a true antifraud professional would use the word ‘sellout’. I tried and I failed (perhaps). Others need to step up.
Writing and editing Commsrisk articles has become a process of attrition, motivated by equal portions of duty and spite. We are social animals, and mature human beings have a duty to do what is best for fellow members of their species. I persisted longer than I should to spite the selfishness of some members of our species. But I am not selfless; my own martyrdom does not appeal. This late stage in the evolution of human society is often described as an attention economy; Commsrisk serves a purpose if it has an audience. I slam the metaphorical door as I leave the room to maximize attention one final time.
A ruling by the governing council of One Consortium, an association ostensibly created to tackle phone scams, has thrown me out of that body because of the content of this recent Commsrisk article. I hope that punishing me will invoke the Streisand Effect: the attempt to censor news draws more attention to it. By the time you read this, I will be gone and I will stay gone. Every person who wonders where I went will be directed to this article about the need for robust KYC and the need to empower senior anti-fraud professionals to stop American chaos and amorality becoming the global norm.
It turns out that the ruling council of One Consortium reads Commsrisk, like so many other people who only admit to reading it when they want to complain to me about its contents. Some of them were unhappy about being revealed to be hypocrites who say one thing when speaking to regulators and something entirely different when talking among themselves. There is no prohibition in the One Consortium bylaws about embarrassing charlatans. However, people who crave status do not like shameful behavior to become public knowledge. So the council unanimously ruled that I had violated a One Consortium bylaw by discussing a One Consortium meeting that I attended as a representative of Oculeus, a business that pays One Consortium to be a member and pays me to represent them. There are only two problems with the council’s ruling.
Call me a pedant if you like, but bylaws that apply to official meetings of an association do not apply to any and every occasion when there is a conversation between some of the members of that association. But this is not going to be an argument seeking my reinstatement. I wanted to be thrown out of One Consortium, and I wanted the process to be demonstrably unfair. This demonstrably unfair process involved my being told a pack of lies about a meeting by people who did not participate and who never asked for my version of events. The public thinks of telecoms as being an important business sector but the people who run it are quite cheap and their institutions are surprisingly weak. I have been waiting two years in the hope that the abuse of institutional weakness by a bunch of selfish Americans might lead to a cause célèbre. The people who run One Consortium never worked out what I was doing, when I laid the trap in 2024. They thought I was helping them. I waited for two years for American corporations to be triggered by what I did. And then they flexed their muscles, in the way I expected, and some weak Europeans went along with them, as expected.
There is no official element of One Consortium that can convene an exclusively American subset of One Consortium members so they can request my attendance on a call that began with 20 consecutive minutes haranguing me about the content of a know-your-customer (KYC) code that I helped to write for i3Forum, a different nonprofit association. One Consortium should not have any authority over i3Forum; the memberships are separate. The same people run both associations, but they demand separate membership fees to join each association. So if they are separate, how can the members of one association complain about the content of a publication approved by the members of the other association? They can complain because One Consortium actually functions as an American veto over decisions made by the rest of the world. If American telcos want something, then telcos worldwide will be told they must want it too. If American telcos do not want something, then nobody else can even talk about it. And there is nothing that American telcos want more than job reductions, gimmicky systems to appease an ineffective government, and weak KYC.
To be clear, I work for Oculeus when representing them at One Consortium but I have never represented Oculeus at i3Forum. Oculeus has never joined i3Forum. So when a group of Americans arranged a conference call whose sole purpose was to lambast my contribution to an i3Forum publication, they cannot be speaking to me as a representative of Oculeus, because Oculeus were not involved in the creation of that document. I was not even working for Oculeus at the time that document was written.
The attendees of that call did not match any One Consortium committee or working group that I ever heard about. There are six working groups in One Consortium, and none of them officially take responsibility for KYC. Does the ruling council of One Consortium now wish to clarify, for the benefit of those regulators who read Commsrisk, that there is a special section of One Consortium exclusively comprised of American members whose main interest is to challenge the obligations implied by the KYC code of a different association? If so, how did this section of One Consortium get appointed, and under whose authority? If I had known about this section of One Consortium then I would have volunteered to join it, in order to spoil it. They made a grievous error by letting me know this special section of One Consortium exists, even if it was just to rubbish me and the work I had done in collaboration with others. Now every regulator who reads Commsrisk will have an insight into how One Consortium rigs its own processes, using intimidation of paying members when necessary. Chucking me out means One Consortium’s ruling council has given this hidden anti-KYC section of the association de facto legitimacy despite it not appearing on any of the charts they share with regulators to describe how the association reaches its decisions.
It was a difficult time for those American members of One Consortium. They believe they are fighting for a good outcome by demanding the rest of the world follows American rules while American businesses continue to do the same things as they did before. I do not believe this is a compelling proposition. And nor does the Federal Communications Commission (FCC), the US comms regulator, who were then working on draft proposals to massively upgrade the KYC and know-your-upstream-provider (KYUP) obligations that they impose on US telcos. Those proposals have since been published. With their insider connections, the Americans who excoriated the i3Forum KYC code evidently knew something I only learned later: that the FCC’s KYC and KYUP proposals repeatedly referenced the modest 4-page KYC code that I helped to write for i3Forum.
The bizarre meeting of exclusively American complainants who summoned me to discuss the i3Forum KYC code makes perfect sense when put into the context of the FCC’s internal decision-making processes, which will be a mystery to those of us who lack insider access. The USA is a case study in bad decisions made by opaque cliques. The i3Forum KYC code is a huge thorn in the side of American telcos… now that they are aware of it, and so long as other people know that the code exists. These Americans would undoubtedly like to make the i3Forum code disappear. They will now seek to overwrite it. There was no other conceivable goal for the bizarre conference call that this story is about. They must have thought that I might sympathize with their point of view, and hence help them to quietly massage away the parts they do not like. That was a tactical error. I did what I did expecting it would lead to a confrontation with American businesses at some unknown point in the future. I want that confrontation to be public, not hidden by opaque cliques who pretend to convey a consensus position.
You can download a copy of the i3Forum KYC code of conduct from here. Do not wait; download it now. The Americans who wanted me to disappear will be looking for ways to make that document disappear, now that I am drawing even more attention to it. They got screwed because the FCC has now seen that document. The FCC’s position on KYC has changed to a surprising extent in recent months; nobody would have predicted how rapdily the FCC’s understanding of crime has evolved, despite the lies being fed to the FCC by US telcos. Ugly American corporate interests will look for any mechanism to delete the parts of that KYC code which will inevitably increase costs for telcos by requiring people to do the kind of work that only people can do. They will rewrite history if given the chance. They have done it before; just look at the history of claims made about the success of STIR/SHAKEN.
I had one golden rule when I did actual risk management for actual telcos: there needs to be a way for whistleblowers to communicate what they know without recrimination. Take as long as you like to consider why that was my golden rule. Then consider what is done to permit whistleblowing within the anti-fraud profession, and how much everyone was depending on Commsrisk to carry some of that burden. How are you going to fill the gap created by my retirement? Associations like One Consortium are constitutionally incapable of accommodating the need for whistleblowing. The only reason they suspended the membership of Bankai Group was because mainstream news outlets ran stories about ‘breathtaking’ fraud. What is the value of an antifraud association that claims to be leaders at fighting fraud but which only discovers its members are fraudsters by reading the newspaper?
Linda Vandeloop, the ringleader of the American anti-regulation cabal within One Consortium, has never shown me any gratitude for introducing her to One Consortium in the first place. My intentions were genuine; she needed to be part of a global conversation. She needed to be part of the conversation, not dominating the conversation. The USA is one country among many, not the ruler of all. Somebody like me also needs to be part of the conversation, to provide some counterweight to the greediest businesses in the comms sector, which is why I cajoled Oculeus into forcing me back into that conversation as far as they could. As a European company, Oculeus has every reason to question why it is so rare that foreign regulators are offered any competition to American proposals to fight telecoms crime using American technology. STIR/SHAKEN has been a total failure in the USA. Linda Vandeloop was the face of STIR/SHAKEN, and persists in that role.
Linda is not sincere when she speaks about protecting the public from harm, but I greatly respect how savvy and determined she is. She is a formidable opponent. She was especially astute when identifying the main difficulty that the i3Forum KYC code creates for businesses like AT&T, her former employer. It includes the word ‘comply’. As soon as you get telcos to publicly agree they should comply with an expectation, it becomes harder for them to wriggle out of it later. Attention is key to policing the way businesses behave in practice. When I volunteered to draft the i3Forum’s KYC code, back in August 2024, it was with the intention that I would insert the word ‘comply’ into the document. Linda correctly identified the trap when she became aware of it. The trap was laid inside i3Forum, a different association that Linda was unable to police.
The word ‘comply’ is essentially the only novel contribution I made to the i3Forum’s KYC code, which is otherwise a pretty loose, mundane and obvious list of checks that telcos should perform when considering who they will serve. The rest of the document is admittedly copied from American standards. Even the term ‘comply’ is included as part of a construction that means it is not necessary to comply. My chief goal was to insert the notion of ‘comply or explain’, whereby a business can either do the things stated in the KYC code, or explain why they will not do the things stated in the KYC code. The word is used in a context that reduces the strictness of an obligation, but it still triggered Linda. She, like her American colleagues, does not even want regulators thinking about whether they should enforce KYC rules.
There is some irony here. In practice, the FCC has followed a ‘comply or explain’ approach to developing its own robocall mitigation rules, though they never used that phrase and they applied the principles back-to-front. Instead of giving some guidance, and then asking how well telcos might follow the guidance, they mandated that telcos write down what they were doing to reduce robocalls. And then, after wading through all those documents, they started formulating rules based on the contents of those documents. This helped them to ensure their rules are realistic without allowing a debate to be blocked or hijacked by the worst scum in the comms sector. But the FCC’s approach is slow, and many people continue to be scammed while waiting for telcos and regulators to do a better job of preventing scams. So I tried to speed things up by creating a straw man for potential global KYC rules that most decent people would agree to as a matter of course, and to then see who would oppose it and how they would try to undermine it. And because it did not involve any specific national regulator, every national regulator was able to learn from the reaction, so long as they were paying attention.
That was the trap I laid in 2024. I have been waiting patiently for the time when I could maximize its effectiveness by drawing attention to it. Many innocent people have been scammed in the interval. That two years can be wasted on shenanigans like this makes me angry. But I had to be patient, and wait for the best time to draw attention to what I did, and why I did it. By chucking me out of One Consortium, its ruling council unknowingly made this moment the optimum time to reveal my intentions. That is why I will never write anything for Commsrisk again. The plan has been executed; there is no further plan. We work in an attention economy, and I will never accumulate more of that currency than I have now. The value of my holding needs to be maximized. Every person who visits any other article on Commsrisk will be directed to read this article first. Unlike social media, Commsrisk has a very long tail. People keep finding and reading Commsrisk articles from many years ago. I intend to keep this archive alive for many years yet, so they can keep finding those articles. Every person who does will first be asked to read this.
This trick can only be played once. After almost 20 years of accumulating this audience, now is the time to harvest my investment in the attention economy. I do this by drawing your attention to the importance of underpinning any consumer protection rule or any authentication system with KYC rules that will be enforced in practice. If you agree with me, then please encourage others to read this article.
I went back and reviewed an early draft of the i3Forum KYC code while I was writing this article. Those drafts were written using Google Docs to create an audit trail that could easily be made public if I needed it later. It gives me satisfaction to reveal that the first editorial comment I inserted into the document cobbled together from previous KYC guidance states “comply or explain”. That is what regulators need to do now. They must force telcos to comply with KYC rules, or explain why they will not.
Publishing Commsrisk has been a wild ride in the last few years, especially because of the growing number of threats to sue me for making factually accurate statements. When you have been menaced by the most notorious libel lawyers in the world then it feels comical to be told you broke some irrelevant bylaw of an empty debating society like One Consortium. They want empty debate because they lack the means to get anything done. And the reason they cannot get anything done is because American corporations decide what can be done.
People may say I am anti-American. I have many American friends. There is no enmity between me and ordinary Americans. I hate American corporations and the evil culture they propagate. I would like to see the American people be freed from the mistreatment imposed on them by big American corporations. Sadly, there is no way to challenge a dysfunctional business culture without challenging the individuals who sustain that culture. Some people choose to profit by working for corrupt systems. The lie that everyone must work together to stop global phone scams is a lie precisely because American corporations dictate what work is allowed and what work will be prohibited. They are dictators, not collaborators. American business culture speaks; it does not listen. There can be no two-way conversation if those who come from other cultures cannot make American corporations listen.
A few things were accomplished through the 3.4 million words published by this website. I like to think that the many non-Americans who now mock the failure of STIR/SHAKEN are doing so because Commsrisk took a principled and public stand when most people who had heard of STIR/SHAKEN were calculating how to profit from it being implemented by global regulatory fiat. It is still difficult to find Americans who acknowledge the failure, even though its failure is evident to every other country. It is easier to find Brits who mock STIR/SHAKEN because American lobbyists lied about Britain adopting STIR/SHAKEN when it had not. And still has not.
Lying about failure makes it difficult to learn from mistakes. It saddens me that people who oppose any regulatory mandate that would require more people be employed to do worthwhile work are in cahoots with people who will lie egregiously about the need for regulators to mandate wasteful spending on flawed systems.
These battles have changed me. The person who wrote the very first Commsrisk article seems like a stranger to me now. In some ways I am poorer than that idealist, but in other ways I am richer. I cannot express how much gratitude I feel for the friends I have made and the encouragement I have received as a consequence of publishing Commsrisk. My only regret is that the future looks bleak for so many people working in this sphere. Not only are greedy execs running telcos into the ground by fighting necessary regulatory intervention despite all trust in their businesses having been lost already. They also despise their subordinates as much as their customers. Their only significant business strategy involves replacing capable, imaginative employees with robots.
I wish I could have done more to reverse the tide of increasingly anti-human business strategies. Those of you that continue to fight the soulless automatons who intend to dictate our collective future will always have my support. But for your own sake, please take time to step away from the machines. Go outside, breathe the air, feel the sun on your skin. Keep reminding yourself what it means to be a person, as opposed to being a corporate wage slave. Good luck to you all.
The lyrics at the beginning of this article are from “Wave of Mutilation”, a Pixies song about Japanese salarymen driven mad by the corporate world. The song manages to be both melancholy and uplifting at the same time. Somebody uploaded to YouTube a recording of Pixies’ performance of the song at the gig I attended last night. You can watch it below.



