The US Federal Communications Commission (FCC) announced on Friday a relaxation of deadlines that were stipulated in their SIM Swap and Port-Out Fraud Order of late 2023. Put simply, the original order set a different potential deadline for obligations relating to the collection and reporting of information than all the other new rules it imposed. Whilst telcos were expected to comply with the majority of the requirements by July 8, a portion needed to be further reviewed by bureaucrats to ensure compliance with a law called the Paperwork Reduction Act (PRA). The order effectively said the latter requirements would not be imposed before bureaucrats completed their work. Evidently the FCC hoped the bureaucrats would get the job done before July 8, so all the obligations within the order would become mandatory at the same time. That has not happened, resulting in a potentially split timetable for compliance, despite the fact that the information gathering component of the order is connected to other obligations. To avoid this, the FCC has instead set back and harmonized the deadlines so that all the obligations in the order will need to be satisfied as soon as the PRA review is complete.
It can take a real effort to read the formal crap produced by the FCC, presumably because obfuscation is the best way to ensure the average American tech journalist will never notice all the times when the FCC screws up. The FCC’s announcement reads as if they robustly denied an industry petition to set back the compliance deadline to March 10, 2025. Focusing on this date allowed the FCC to shift the emphasis away from the failings of government employees. The original FCC order allowed 6 months for telcos to implement the processes needed to comply with the new rules. It argued that the severity of fraud required prompt action. Setting the compliance date back to March 10, 2025 would mean allowing telcos much more time to upgrade their processes than originally envisioned. But we should not gloss over the fact that the bureaucratic failure to execute a timely PRA review is the main reason why the FCC felt it necessary to relax its compliance deadline. The FCC wanted the telecoms industry to make changes within 6 months, but bureaucrats needed more than 6 months just to comply with a law that prevents government agencies from ignoring the scale of burdens created by new diktats. That is the essential reason for this delay.
The new fraud prevention controls mandated by the order are generally sensible, and they should be realized without disproportionately increasing the cost of doing business. These controls include:
- adopting secure methods of authenticating a customer before switching a service to a new provider;
- processes for handling failed authentication;
- staff training on SIM swap and port-out frauds;
- controls to prevent insider frauds made possible by the switching of services;
- notification of customers prior to changing SIMs or switching providers;
- maintaining records of any SIM change request and the authentication information gathered at that time;
- giving customers the option to prohibit any SIM changes and porting of their services; and
- creating a process for customers to report fraud and then be told the outcome of fraud investigations.
It would be good for US consumers to benefit from these enhanced controls as soon as possible. But instead of congratulating themselves for creating new consumer protection obligations, this was an instance where too many bureaucrats got in the way of each other.
The formal notice of the delay can be read here.



