An investigation by the Australian Communications and Media Authority (ACMA) has found Telnyx breached multiple obligations relating to fraud prevention and public safety. Telnyx is headquartered in Chicago, USA, and offers a communications-platform-as-a-service (CPaaS) via subsidiaries worldwide. The telco has paid a penalty of AUD106,560 (USD72,200) for violations by its Australian operation and been formally reminded of their obligations.
ACMA discovered that at least 4,666 SMS messages were sent with SenderIDs that had not been checked to ensure the sender was entitled to use them. Telnyx also failed to submit one quarterly report on the number of scam messages it had blocked.
The regulator separately determined that Telnyx did not adequately check the identities of several hundred customers. At least 557 new prepaid mobile customers were activated after Telnyx scrutinized ID documents using an online portal despite the rules stating that these documents must be presented in person. Checks on new prepaid mobile customers also failed to determine how many phone lines the customer already had, and hence whether more extensive identity checks were required for those customers wanting five or more lines in total.
There were flaws in the way Telnyx managed customers who transferred from other providers. They did not adequately confirm the identities of at least 118 customers who ported in from other telcos between 2020 and 2022. For example, Telnyx only recently adopted the practice of sending confirmation codes to the phones of users so they can approve a port before it occurs. Such checks are required to prevent phone users being ported without their consent.
Telnyx also failed to satisfy its obligation to always provide customer data to Australia’s Integrated Public Number Database (IPND). The database is used to contact Australians during emergencies and by law enforcement. Telnyx failed to supply data to the IPND on 3,256 occasions between 2017 and 2022.
Telnyx was fined AUD79,920 (USD54,150) for the violations relating to IPND and prepaid customer checks and AUD26,640 (USD18,050) for failing to comply with the porting obligations. This gives a total penalty of AUD106,560 (USD72,200). However, there was no financial penalty for the failure to check SMS SenderIDs. This was at odds with the ACMA press release, which stated the total penalty for Telnyx and which placed most emphasis on the risk of scam SMS messages but which did not break down how the various infringements related to the amount Telnyx was fined.
In addition to paying their fine, Telnyx agreed to train staff about how to comply with their obligations and to hire an independent consultant who will review their compliance practices and produce a report for both Telnyx and the ACMA. This agreement can be enforced in court if necessary, but it is also limited to the customer identity and IPND regulations, whilst excluding Telnyx’s obligation to check SMS SenderIDs.
It is interesting that the ACMA played up the part which grabs the public’s attention — stopping deceitful robotexts — although the bulk of their enforcement action concentrated on other issues. There is always an extent to which we must be mindful of regulators telling the public what they want to hear although their words are not aligned to the ways in which they act.
On the other hand, the ACMA deserves credit because they are routinely calling out brand-name telcos for failing to do enough to stop scams. Both fraud and electronic communications are global, but national regulators exhibit sharp variations in how they behave. The US Federal Communications Commission (FCC) also courts public opinion by issuing enforcement notices relating to scams, but most of these notices target obscure little businesses. With the sole exception of Twilio, the FCC has not shamed any major comms providers for implementing inadequate anti-scam controls. In contrast, the ACMA had already blasted the lax controls of Twilio, Vonage, Infobip, Symbio and Sinch before they directed their ire at Telnyx.
It is striking that the Australian regulator keeps identifying issues with telcos that are ultimately headquartered in the USA but which never receive any criticism from the US regulator. This preposterous situation is facilitated by a lackluster approach to sharing fraud intelligence. Communications fraud professionals do not even have a resource that reliably compares the public announcements that different national regulators make about crime and regulatory violations, never mind exchanging confidential data about crime in different countries.
Too many pseudo-experts think they are being helpful when they recycle whatever garbage they have seen reported on a US news website. I cannot wait for AI to make these worthless goons redundant. As shown by this Australian action, even when information is in the public domain, the narrative presented in a regulator’s press release can conflict with the detailed paperwork they also publish. Unfortunately, journalists tend to repeat press releases without comparing their contents to other regulatory publications. This then amplifies another problem created by the Anglosphere: the tendency to assume the USA is the best and most reliable source of all kinds of information. Looking at the detail of the enforcement action being taken in Australia and USA shows there are some sharp differences in the ways that regulators punish violations of anti-scam mandates. This begs many questions about the generalizations made by regulators, and whether they reflect genuine knowledge that must remain confidential, or are merely stories that they want the public to believe.
The ACMA press release about Telnyx’s regulatory infringements can be found here and the detailed paperwork relating to their findings and enforcement actions can be found here.



