FCC Threatens to Disconnect Twilio for Illegal Robocalls

There are some journalists who orgasm each time the Federal Communications Commission (FCC), the US comms regulator, instructs a rinky dink telco to stop carrying illegal robocalls. That is because those journalists cannot tell (or do not care about) the difference between a substantial business and an ephemeral legal entity that could disappear tomorrow and be resurrected with a new name by the end of next week. The FCC has previously sent plenty of cease-and-desist letters about illegal robocalls to pissant telcos but this week the FCC did something different. For the first time, the FCC sent one of those robocall cease-and-desist letters to a big comms provider that really matters. Twilio is a communications-platform-as-a-service (CPaaS) business that is likely to generate over USD3.5bn of revenue during the current financial year. They received a letter much like other cease-and-desist letters from the FCC: stop the illegal robocalls within the next 48 hours, or be disconnected from the rest of the US comms system.

We have determined that Twilio Inc. (Twilio) is apparently originating illegal robocall traffic on behalf of one or more of its clients. As explained further below, this letter provides notice of important legal obligations and steps Twilio must take to address this apparently illegal traffic. Twilio should investigate the identified traffic and take the steps described below, including blocking the traffic if necessary, and take steps to prevent Twilio’s network from continuing to be a source of apparently illegal robocalls. Failure to comply with the steps outlined in this letter may result in downstream voice service providers blocking all of Twilio’s traffic, permanently.

It was the FCC’s choice to use bold and italics to emphasize their point, as if Twilio’s executives and lawyers might not otherwise understand the gravity of the situation. Twilio has almost 8,000 employees and a market capitalization of slightly over USD10bn at the time of writing. Mentioning the time of writing is important because Twilio’s value dropped 6.8 percent yesterday, before rebounding a little. In other words, the company’s value fell to USD9.74bn at one point during the day, after starting the day at USD10.46bn. Lots of other factors influence share price, and some big US tech stocks have fallen sharply over the course of last year, so it would be wrong to forecast any lasting impact. But the sudden disconnection of Twilio, with all the knock-on implications for other businesses that use Twilio to communicate with their customers, would not only cause a fire sale for Twilio’s shares, but would also send shock waves through many layers of US commerce. The FCC must anticipate that there is almost zero risk of them needing to act upon their threat. Nevertheless, explicitly voicing the threat to a company of the scale of Twilio represents an unprecedented escalation in how they enforce anti-robocall rules.

Twilio was given the standard period of 48 hours to halt the origination of the specific robocall campaign that prompted this campaign. They were also given 14 days to explain what new controls they have implemented that will prevent customers from using Twilio’s service to originate robocalls in future.

If after 48 hours Twilio continues to originate unlawful robocall traffic from the entities involved in this campaign, downstream U.S.-based voice service providers may begin blocking all calls from Twilio after notifying the Commission of their decision and providing a brief summary of their basis for making such a determination. Furthermore, if after 14 days, Twilio has not taken sufficient actions to prevent its network from continuing to be used to transmit illegal robocalls, then downstream U.S.-based providers may block calls following notice to the Commission. U.S.-based voice service providers may block ALL call traffic transmitting from Twilio’s network if it fails to act within either deadline.

The use of bold, italics AND capital letters reiterates the seriousness of the FCC’s threat. However, a footnote softened the 14-day deadline by saying Twilio is “encouraged to reach out to the Commission before the deadline if it anticipates needing more time to execute this step”.

The illegal robocalls that triggered this action are similar in nature to most other high-volume nuisance marketing campaigns that plague US consumers. The calls were instigated by a business called MV Realty which is already being sued by prosecutors in several different states. Per the FCC’s news release:

According to lawsuits from the Attorneys General of Florida, Massachusetts, and Pennsylvania, real estate brokerage firm MV Realty used misleading robocalls to “swindle” and “scam” residents into mortgaging their homes in exchange for small cash payments.

The FCC wisely focused their public message on the need to protect homeowners from mortgage scams. They have little to gain by referring to Twilio, which is a brand that will be unknown to most consumers. The average phone user only recognizes the name of comms providers they deal with directly, and has no knowledge of the all the other companies that provide the plumbing for telephony and the internet. However, industry insiders should notice how the FCC blamed Twilio for having inadequate know your customer (KYC) procedures. FCC Enforcement Bureau Chief Loyaan Egal stated:

‘Know Your Customer’ (KYC) principles should be at the forefront of all communications service providers’ business practices. It is concerning to see such a large provider allowing this kind of traffic on its networks. I hope and expect Twilio to immediately cease and desist.

There is an element of theater that surrounds this enforcement action which leads me to believe Twilio already knew they were going to receive this letter. The illegal MV Realty calls were made between May and December of 2022. Twilio was contacted as part of an investigation led by the US industry’s traceback group. Per the cease-and-desist letter:

The Traceback Consortium conducted tracebacks and determined that Twilio was originating apparently unlawful robocalls on behalf of MV Realty through its dialing provider PhoneBurner. The Traceback Consortium notified Twilio of these calls and provided access to supporting data identifying each call… Twilio told the Traceback Consortium that PhoneBurner had obtained called parties’ consent for the robocalls. Neither Twilio nor PhoneBurner provided the Traceback Consortium with evidence of consent.

So whilst the 48-hour and 14-day deadlines sound abrupt, and the threat of disconnection cannot be taken lightly, any competent comms provider should have anticipated the risk of a cease-and-desist letter from the FCC.

I believe this action is a way for the FCC to signal an important change of focus without them publicly losing face. Instead of a lot of jibber jabber about STIR/SHAKEN being used to authenticate calls, or how much foreign telcos are to blame for everything, the FCC has seemingly realized that the only way to get an immediate reduction in illegal robocalls is to pressure US comms providers into imposing strict know your customer requirements for the first time. The FCC needs to get tough about KYC because many comms providers will prefer lax KYC standards to voluntarily turning away customers. I have often criticized the FCC for adopting a misguided approach to tackling illegal robocalls, but insisting upon robust KYC is the right priority. Now they must follow through by genuinely punishing those big businesses which continue to provide criminals with access to the comms ecosystem.

The FCC’s cease-and-desist letter to Twilio can be found here and the press release explaining how the FCC responded to MV Realty’s robocalls is available here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.