The Australian Communications and Media Authority (ACMA) has announced punishment for a telco which received ported phone lines without performing sufficient checks to confirm the port was requested by the actual user. Circles Australia Pty Limited, which trades using the Circles.Life brand, has been issued with a formal infringement notice that states they failed to comply with know your customer (KYC) obligations per Australia’s mobile number pre-porting identity verification standard. Circles.Life admitted to their shortcoming by advising they should have complied by sending a one-time password by SMS to the relevant phone number before executing the port. The fine of AUD199,800 (USD142,000) was calculated by applying a standard penalty of AUD13,320 (USD9,450) to 15 specific instances of numbers that were ported without being checked.
Circles.Life has also offered compensation worth over AUD100,000 (USD71,000) to 42 customers affected by their lapses. Per a statement from the ACMA, at least seven of these customers suffered direct financial losses. Customers whose numbers were wrongly ported were said to have suffered a number of frauds including compromised privacy for their emails or the loss of access to their bank accounts.
The ACMA emphasized the importance of protecting consumers from scams that involve taking over a customer’s phone account. However, there are also some troublingly arbitrary aspects to the way their penalty was calculated. The ACMA’s investigation concluded Circles.Life were guilty of 1,787 contraventions of the porting KYC rules between 1 August 2021 and 2 December 2021, plus an unknown number of contraventions between 26 October 2020 and 31 July 2021. No explanation is given as to why their penalty was calculated by applying a standard amount to only 15 instances of non-compliance, the earliest of which occurred on 7 August 2021 and the last occurring on 24 November 2021. However, we can guess at the likely explanation because their investigation report oddly states they relied on the following.
…information obtained by the ACMA from the Australian Cyber Security Centre identifying Circles as the gaining mobile Carriage Service Provider (CSP) in 12 alleged unauthorised ports of mobile service numbers (commonly known as mobile phone numbers) as reported by victims of fraud between 15 August 2021 and 25 November 2021
12 complaints of fraud might relate to 15 phone numbers being ported because some cases would likely involve multiple numbers being hijacked from the same household account. It is noticeable that the sparse distribution of the dates of the 15 ports includes a few cases where two ports occurred on the same day. Complaints would not be received until after a non-compliant port had been executed by Circles.Life, meaning it is plausible that the port on 7 August led to the complaint on 15 August and the port on 24 November led to the complaint on 25 November. But even if this explanation is valid, it begs a question about why the ACMA is concluding there were at least 1,787 contraventions but only issued fines in the small number of cases where customers also reported they were the victim of a fraud to the Australian Cyber Security Centre. This suggests a lack of confidence in whether the ACMA’s conclusions would stand up to scrutiny if challenged in court, so they erred on the side of caution by only issuing fines when they could rely on customers and the Australian Cyber Security Centre to testify a fraud had occurred as a consequence of Circles.Life’s deficiencies.
It has never been more important to protect phone users from scammers, including those who take over phone accounts as a stepping stone to raiding the bank accounts, online wallets, or other sensitive services belonging to victims. Circles.Life did not take basic steps to protect the public from fraudsters. The timing of this penalty is intriguing because Circles.Life is a multinational MVNO group based in Singapore, and the comms regulators in Australia and Singapore recently signed an agreement to help each other investigate violations of telecoms laws. I can only speculate as to whether Australian authorities felt it prudent to gain the additional backing of the bilateral agreement before issuing a fine to a telco ultimately controlled from Singapore. What cannot be disputed is that comms regulators are paying more attention to protecting phone users from crime than ever before. However, they are ill-suited to the task, as regulators are only capable of performing superficial investigations long after the crimes have been committed. This also explains a growing tendency seen in multiple countries where telcos are said to be guilty of very many violations of rules but receive large penalties that are only derived from a tiny subset of all the violations.
Regulators are seemingly compensating for their weakness at performing investigations and building a legal case by imposing very hefty tariffs on a small fraction of infringements. This will be uncontroversial in simple cases where telcos admit to doing wrong, but it also stores up trouble for later. Criminals do not simply give up; they adapt and find new ways to profit from breaking the law. So however successful regulators are in simple cases like these, relative success must inevitably lead to more complex enforcement cases in future. If penalties are calculated on an arbitrary basis, because only an arbitrary fraction of all violations incur the ‘standard’ fine, then some crooked telco that can afford expensive lawyers will eventually challenge the scale of any fine they receive, whilst arguing the regulator has been unfair to them. Strong enforcement requires both the ability to conduct a thorough investigation and the confidence to apply penalties to every infraction. If a single flawed port is worth AUD13,320 then the 1,787 known infractions by Circle.Life should deserve a fine of AUD23.8mn (USD16.9mn). Regulators are tempting fate by giving everybody the impression they are following a consistent process to calculate penalties when the reality is they are disguising serious weaknesses in how they determine and apportion the scale of non-compliance.