On September 30 there will be a couple of webinars you should consider joining because they will cover the single most important change in thinking about how to reduce networked scam communications since the beginning of this decade. It is rare for me to advertise other people’s webinars but it seems appropriate when I am one of the speakers. The webinars will discuss the publication of the new i3Forum know-your-customer (KYC) code of conduct for comms providers that handle voice and messaging communications in bulk. In other words, it is a global code that should make it harder for criminals to program machines to make thousands of robocalls or robotexts that attempt to scam the general public, if the code is widely adopted and respected in practice.
Some may disagree with the importance I attach to this new KYC standard. They may say their business already has robust KYC. Perhaps they do. And if they do, those folks should have no objection to demonstrating their enthusiasm for robust KYC by endorsing and agreeing to obey the new code of conduct. But as very many ordinary people across many countries continue to be plagued by illegal scam communications, some of which originates domestically and some that originates in other countries, and because there are telcos who say their filters are blocking billions of illegal calls and messages, we can deduce that not every business that supplies comms services to bulk users is doing enough to check the history and reputations of their customers. Criminals hide behind business fronts that appear legitimate. They need to be weeded out.
Nobody likes to turn away a potential customer and nobody likes creating friction for legitimate customers. That is why some consistency in the KYC rules adopted by all comms providers would benefit every honest comms provider. There have been some well-intentioned but flawed attempts to stop bad actors gaining access to the comms ecosystem by tracing bad calls to their origin or by applying digital signatures to comms. The flaws in these methods stem from their piecemeal nature. If a bad message is traced to its origin, or a signature is attached to a bad call, what has really been accomplished if no rule was broken by anybody who can be identified? If there are no rules for the comms provider’s KYC then no rule was broken when they provided their services to a criminal. And if the criminal who is ultimately responsible for the scam cannot be found because they created a bogus business front, used fake identities, or employed a stooge to be their fall guy, then there is nobody who can be usefully prosecuted for the illegal communication that was made. Little is accomplished if scammers always remain free to try, try and try again, and if they can rely upon shady comms providers to grant them access to the ecosystem when others will not. Tracing comms to their origin and attaching validation signatures to communications are forms of audit control, but without a robust foundation in KYC, every audit control that comes afterwards is neutered. Auditing data is only useful if the data can be linked to something or someone that matters in the real world.
Without consistent KYC expectations for all comms providers, the net result of piecemeal downstream controls on illegal traffic can only be:
- increased burdens for honest comms providers;
- reduced revenues for honest comms providers;
- increased revenues for crooked comms providers; and
- no lasting reduction in the number of scam communications received by the public.
I wrote a typically provocative headline for this article although I should clarify that my contribution to this code mostly involved the use of ctrl-c and ctrl-v as I copy-pasted chunks of text from documents written by people who know more about KYC than I do. The reason to be provocative is to highlight how tempting it can be to discuss the wrong priorities for consumer protection controls. I am not a billion-dollar vendor. I am not one of those associations that claims to have dozens of partnerships with other associations that are all supposedly collaborating on the reduction of scams. The last time I was employed in a management job by a telco was in 2012. I just run this website where I spout my opinions on how to do a better job of running comms providers. But somehow a lot of clever and important people neglected to dig adequate KYC foundations for the anti-scam controls they have been lobbying for. So I grabbed my keyboard and did something in a few hours that the industry has been failing to do for years. We need a common global KYC code. I do not care if it is a code that I wrote, that somebody else writes, or some future version with many amendments to the new i3Forum standard. First we need to accept the need for consistent KYC, then consciously make progress towards realizing common KYC expectations in practice. That so many people have had so much to say about tackling scams without being forced to address the need for a common KYC code is an indictment of our global industry.
There is considerable risk in associating me with any KYC code of conduct. That is because there are lots of people in billion-dollar vendors, some people in associations, and a few people in telcos who loathe me. I find it necessary to provoke this reaction among some people; logic dictates that anybody who is liked by 100% of the comms industry must also be liked by 100% of the scumbags who work in the comms industry. You cannot make an omelette without cracking eggs and we cannot stop fraud without cracking those industry insiders who profit from fraud. It gives me pleasure to frustrate bad people who do bad things but causing annoyance will not accomplish anything on its own. We need to move beyond complaining about who is doing a bad job of fighting scams and towards ostracizing the bad people responsible for scams. Good intentions need forceful backing. As with so many of my articles written in the last few years, national regulators of comms services are the principle audience for this article. They must learn to disregard what people keep saying about KYC; regulators need to examine what comms providers are doing about KYC. That sadly means disregarding some of the associations and corporations that talk repeatedly and vaguely about KYC but have no serious intention to deliver any meaningful change. It is to the amazing credit of i3Forum, as led by Philippe Millet and Christian Michaud, and of its Fight Fraud working group, led by Katia Gonzalez of Proximus Global, that they tolerate me despite all the downsides to allowing me to hang around. This shows they are sincerely trying to accomplish a goal which is so difficult that many others prefer to ignore it, or only pay lip service to it.
As for copy-pasting a KYC code, there would be nothing to copy if others had not already put electronic ink on electronic paper. Kudos to Numeracle for publishing a model KYC standard in 2023. I wrote at the time that “somebody has to start a conversation that will lead to the agreement of common standards for KYC”. Those somebodies were Sarah Delphey, who now works for Bandwidth as their Director of Global Trusted Solutions, and Rebekah Johnson, CEO of Numeracle. These two ladies drew upon their considerable hands-on knowledge of KYC when crafting Numeracle’s model KYC standard. The Cloud Communications Alliance (CCA) was among the first to follow their lead. The CCA published KYC guidance in 2024 that reiterated much of Numeracle’s work. Around the same time, the i3Forum’s Fight Fraud group canvassed its members about the KYC questions they should all be asking potential customers. It seemed obvious to me that these observations could be combined with the aforementioned publications to produce a more general international code for how KYC should be conducted. Fionán Mc Grath of Cellusys ably vetted my use of ctrl-c and ctrl-v to produce a draft document which was then submitted for the approval of the i3Forum’s board.
My sole intellectual contribution to the i3Forum’s KYC code stems from my experience of managing risk and compliance in general. There has been a worldwide trend to make corporate governance rules more flexible by adopting the principle of “comply or explain”. Instead of arguing the minutiae over every conceivable example of a rule being thwarted because a precise reading leads to an outcome which complies with the letter of the rule but not its spirit, or with the spirit of the rule but not its letter, a “comply or explain” approach lets organizations adopt rules that deviate from a standard on condition that they must explain why they needed to deviate from the standard. This rational compromise means there is enough flexibility to deliver the same overall outcome across businesses that face very different challenges in practice. There are a lot of different comms providers in the world; I doubt anybody could write a few pages of KYC rules that would equally well apply to all of them. “Comply or explain” also means general rules can be kept succinct because it is the responsibility of individual organizations to document every necessary deviation. All organizations can concentrate on the essence of the common rules rather than being waylaid by particularities that only relate to some specific business models.
The final version of the code of conduct, as amended and approved by the i3Forum board, retains the principle of “comply or explain” but limits its effect by also articulating some minimum expectations that every comms provider should comply with. I would have preferred to have a looser code of conduct sooner than to wait for the stricter version published this month but the task of realizing consistent global KYC rules will never be achieved unless everybody shows some willingness to compromise. Even I can compromise sometimes. Following its adoption and approval by i3Forum’s board, the KYC code will next be submitted to the governing council of One Consortium for their consideration. If they approve it — and presumably they will feel obliged to approve a KYC code eventually, even if it means proposing amendments to a code already accepted by representatives of many One Consortium members — then the code will be provided to the national comms regulators who attend the meetings of the Global Informal Regulatory Antifraud Forum (GIRAF).
These national regulators will not need to approve the KYC code of conduct because it is global and voluntary in nature, but their awareness should reduce the risk of a proliferation of incomplete and inconsistent KYC standards in different places. The slower the progress towards adopting common KYC expectations worldwide, the greater the risk that national agencies will feel compelled to intervene in ways that will add to the complexity of consumer protection by obliging comms providers to apply different KYC checks to customers that call or message phone users in different regions. Such operational inefficiencies would detract from getting the most effective KYC controls overall, and there are already signs that legislators in different states within the USA are minded to impose inconsistent standards. A fracturing of the compliance landscape would be counterproductive. We need to hurry to avert this.
In summary, if you work for a comms provider that services calls or messages in bulk then your business should seek to follow the new common KYC code or document why it needs to follow different KYC rules that the business has written for itself. If you sit on the Council of One Consortium then you should just adopt the i3Forum’s code without any changes, although I acknowledge that a few of you hate me and you may want to change the code out of spite. And if you work for a regulator, you should be turning up to GIRAF meetings and asking about the recommended KYC code, as well as questioning the reasoning behind any changes which are proposed or the motives of anyone who objects to the existence of this code.
The i3Forum is no joke. Their role in tackling the global scam pandemic is rarely mentioned by the mainstream press but that is because mainstream journalists who see everything through a domestic prism tend to know nothing about the internal mechanics of an international industry. The i3Forum’s members include many of the biggest carriers of international comms traffic. It has taken a while, but they have published a KYC code of the type that the entire global industry needs. If this code is good enough for them, it should be good enough for anybody, especially because the “comply or explain” principle means there is some flexibility in how businesses can choose to follow the code in practice. Every day we delay the move towards consistent global KYC expectations is another day that fraudsters remain free to exploit the flaws and inconsistencies in the anti-fraud regimes we already have. I hope you will all share my desire for greater urgency in the pursuit of common global KYC rules. Those of you who join us for the September 30 webinars will help with creating that sense of urgency by demonstrating how many recognize the need for a global KYC code.
The i3Forum’s new KYC code is available here. Live webinars to explain the code are scheduled for 8am Central European Time (11.30am India, 2pm China) and 4pm Central European Time (10am US Eastern, 7am US Pacific) on September 30. Register for either webinar here.



