Johannes Vallesverd of the Norwegian Communications Authority (Nkom) has played a leading role in the formation of the Global Informal Regulatory Antifraud Forum (GIRAF), the first serious attempt to harmonize how comms regulators address consumer scams. So it came as no surprise that Vallesverd took the initiative by posting the first ever communiqué from GIRAF to social media this week. Entitled “Carry with Care”, the statement briefly articulates what these regulators want from international carriers. Let us break it down, paragraph by paragraph; all emphasis is theirs.
The Global Informal Regulatory Antifraud Forum (GIRAF), an informal coalition of telecom regulators worldwide, calls on the international service providers (any intermediary player, including international carriers, hyperscalers, aggregators) industry, as one among the relevant stakeholder segments, to take more decisive action against fraudulent traffic.
Note the need to reiterate the informal nature of this collaboration between regulators. Nothing said by GIRAF is binding upon the regulators that participate. Nevertheless, issuing a joint statement is still a remarkable accomplishment.
Fraudulent traffic is so damaging not only to society but also to the industry itself that urgent concrete actions are needed. GIRAF acknowledges positive anti-fraud initiatives by several stakeholders, and at the same time GIRAF encourages the industry to further develop actions to reduce fraud.
None of that paragraph is controversial, although it is interesting that it was considered necessary to tell comms providers that they are also being hurt by the impact of scams on customers.
Therefore, GIRAF calls for active systematic efforts by international service providers to detect and block fraudulent traffic.
If anything, the problem with asking carriers to block traffic is that a vast increase in the amount of traffic blocked by automated filters is not turning the tide on crime, as has been explained by Endre Syvertsen, one of Norway’s leading experts in telecoms fraud.
GIRAF urges stakeholders to take part in international collaborations against fraud such as the One Consortium and others to raise awareness, establish best practices and share information.
Nobody would argue with the sentiment behind this request. However, the problem with asking for more collaboration is that there are now an expanding number of associations that seek to generate profit by charging telcos and vendors for opportunities to collaborate on how to reduce scams. Much of this work is superficial. Some of these associations are a sham, though regulators seemingly cannot differentiate between empty talk and sincere attempts to reduce crime. This leads to more competition for attention without adequate focus on results. Progress is further inhibited because rival associations are mostly unaware of each other’s work, and some are unwilling to endorse the progress made by their rivals.
One Consortium deserves more credit than most, so it is logical for GIRAF to encourage carriers to join One Consortium. On the other hand, I would hope that GIRAF will listen to advice from other associations as well. For example, Syvertsen is one of the Global Solutions Council (GSC) team that is working on a critique of the know-your-customer (KYC) code that I wrote in the hope it would eventually be approved by One Consortium and submitted to GIRAF for their consideration. I welcome any criticism of my work by GSC; egos need to be set aside. GSC’s experts have considerable hands-on experience and their motives are sincere. GIRAF should be willing to review GSC’s critique, even if it conflicts with the advice of One Consortium, because healthy and open debate between experts in fraud management will lead to better policies.
GIRAF encourages international service providers to avoid partnerships with service providers that lack robust antifraud policies and practices as per industry best practices and regulatory mandates.
This paragraph is tame. If GIRAF wants decent telcos to stop working with dodgy telcos then they should say it plainly. However, stating this plainly would also put the onus on regulators to change policies that currently force carriers to provide services to dodgy telcos. Giving carriers more freedom to refuse to provide services will be uncomfortable for regulators that still believe maximizing competition is their overriding mission, even when some of the competition comes from telcos that endanger the public.
GIRAF encourages international service providers to provide adequate public transparency on their policies to stop fraud.
More transparency would be nice. However, regulators need to bare their teeth and intimidate telcos into publishing policies on fraud prevention. The ongoing farce that is the US Robocall Mitigation Database illustrates what will happen if telcos are told to publish something about scam prevention but regulators fail to stipulate what they expect to read. The KYC code that I wrote gives telcos the option to deviate from the code if the telco states how and why they deviated from it. If GIRAF decides to support this KYC code then regulators should demand that all carriers within their jurisdiction either state their willingness to comply with the code in its entirety or else publish their reasons for deviating from it.
GIRAF underpins that international service providers contracts should have clear descriptions of antifraud obligations such as duties and rights to block, in accordance with relevant regulations. GIRAF encourages the international industry to make the necessary contractual alignments ensuring that fraud prevention is financially viable.
The influence of i3Forum, the progenitor of One Consortium, is evident in this paragraph. i3Forum has been particularly effective at tackling fraud by drafting standard clauses for inclusion in contracts. These clauses normalize how carriers will reduce fraud so nobody can claim to be surprised when, for example, payment is withheld for fraudulent traffic. Further normalization of expectations surrounding when payment will be withheld for illegal voice and messaging traffic is likely to be one of the quickest ways to secure measurable reductions in crime, especially if backed by practical support from regulators and law enforcement.
GIRAF encourages international service providers to interact in an effective manner with law enforcement and/or regulators in fraud traceback enquiries, to the extent that information is available.
This is fine, but the lack of support from law enforcement has long been one of the biggest frustrations for telcos. Why should the private sector keep supplying information to the police if it never results in any prosecutions? One test of GIRAF is whether they will also seek to educate the law enforcement agencies of multiple countries on how to better support the anti-scam efforts of the private sector.
GIRAF also encourages regulators and other public authorities to actively engage with international service providers residing in their jurisdiction in order to ensure that appropriate antifraud measures are in place.
Kudos to GIRAF for setting an example to those regulators and public authorities.
GIRAF acknowledges that there could be a need for regulatory guidance on measures to combat fraud eg. on privacy, datasharing (sic) and concrete fraud protection measures. Service providers should actively interact with regulatory bodies to seek guidance. In this guidance regulators should take into account in their analyses and interpretations of the regulations, the magnitude of damage caused to individuals and societies by digitally enabled fraud.
This paragraph is too mild. GIRAF’s regulators will only admit there could be a need for guidance on when it is legal to share intelligence? Regulators and data protection agencies continue to dance around one of the key obstacles to fighting international crime. However, comms regulators are entitled to some sympathy because Europe’s data protection agencies do not apply GDPR consistently, even though they are meant to all be imposing the same rules. Meanwhile, the chances of the USA respecting the data protection rules of Europe are less than zero given President Trump’s interventions on top of a history of politicians only paying lip service to the legal implications of sharing data about European citizens with the USA.
The vast majority who read GIRAF’s statement will agree with the vast majority of its contents. One outstanding question relates to how many will read it, and whether it will be read and respected by the executives who ultimately set the priorities for carriers. The use of LinkedIn to publish this communiqué is indicative of the limited resources available to an association of regulators that does not even have its own website.
Another vital question is whether GIRAF will evolve into a body that makes more significant demands of others. Profiting from scams is endemic within the comms sector. There is no way to clean up the industry without facing considerable resistance. It is taking too long to identify and attack that resistance. Voluntary collaboration is not enough; there must be punishment for those businesses which continue to profit from the plague of consumer scams.
The LinkedIn post with GIRAF’s “Carry with Care” communiqué can be found here.



