David Casem, CEO of Telnyx (pictured) has publicly stated they will fight a USD4.5mn fine for inadequate know-your-customer (KYC) controls that was proposed by the US Federal Communications Commission (FCC) last week. This is good news. As a major communications platform as a service (CPaaS), Telnyx will be able to force the FCC to answer questions it has previously skirted around. Irrespective of whether Telnyx’s KYC checks were robust or not, the FCC’s strategy for reducing illegal communications traffic is built on shaky foundations that would benefit from being challenged. In particular, the FCC keeps encouraging the false impression it can ‘crack down’ on abuses of its KYC rules when the truth is that it does not really have any KYC rules. A full-on legal confrontation between the FCC and Telnyx may force the FCC to refine its expectations or abandon the pretense that it is enforcing rules that are too vague for either side to know when they have been broken.
Casem posted on LinkedIn his thoughts about the proposed fine.
If you haven’t heard, Telnyx was wrongfully hit with a proposed $4.5MM (sic) fine by the Federal Communications Commission.
Casem then emphasized that Telnyx “will not be rolling over on this one” before he linked to a blog about the case that was written by Joe Bowser of legal firm Roth Jackson. Bowser’s blog is headlined “Vague Rules, Strictly Enforced” and it pinpoints the crux of the issue.
The FCC has never defined its “KYC” requirement. The rule just says that a carrier must “take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.” 47 C.F.R. § 64.1200(n)(4). This is obviously not a self-explanatory requirement.
The election of Donald Trump means the Republicans have taken control of the FCC, but there have been no signs of a change in the regulator’s rhetoric about robocalls. New FCC Chairman Brendan Carr used the same tired old language as predecessors Jessica Rosenworcel and Ajit Pai when announcing the ‘first agenda for the new Commission’.
Cracking down on illegal robocalls and protecting consumers from bad actors will be a top priority at the FCC.
Outgoing Chair Jessica Rosenworcel sought praise for her own ‘crack down’ just a few weeks ago. Eight years of continuous ‘cracking down’ by three FCC Chairs in succession suggests that these crackdowns are not all they are cracked up to be. Nevertheless, the FCC’s press release about the proposed Telnyx fine featured more of the same hype.
In a bipartisan vote and the first Commission-level action under Chairman Brendan Carr, the FCC today proposed a $4,492,500 fine against Telnyx LLC related to government imposter robocalls made on its network.
And what was the highly-sophisticated mechanism used to identify these particular illegal calls?
Among other potential victims, the calls were made to FCC staff and their family members and purported to be from a fictitious FCC “Fraud Prevention Team.”
In other words, 8 years of crackdowns on illegal robocalls, combined with a pitiful number of fines issued by the FCC for robocall violations and the most recent FCC ruse of simply not telling the US government if they fined anybody in 2024 has delivered an enforcement program that only kicks into action when the robocalls upset politicians, upset the people in the telecoms industry who are meant to trace bad calls, or upsets the employees of the FCC. Somebody should remind these individuals that the goal is to protect the general public from illegal calls, not just to protect a few privileged people with an inside track to the FCC’s enforcement division. Nevertheless, Carr claimed that fining Telnyx…
…continues the FCC’s longstanding work to stop bad actors.
To complicate matters further, one FCC Commissioner voted against the proposed Telnyx fine on the grounds that the FCC may not be legally entitled to levy such fines without bringing them to federal court so the defendant can have a jury trial. Commissioner Nathan Simington’s dissent referred to the Supreme Court decision in Securities and Exchange Commission vs Jarkesy which can be interpreted as placing limits on regulatory bodies to issue civil penalties that deter wrongdoing without respecting the common law right to trial by jury. Or to put it another way, I keep commenting that the USA is completely ineffective at deterring networked fraud because of its broken legal system, but the Jarkesy decision means the legal system may be even less suited to the task of protecting the public from networked abuses than previously thought.
Whilst lawyers fought interminable fights about what is and is not a rule, and what can and cannot be punished, the US communications sector spent half a billion dollars on using STIR/SHAKEN to ‘authenticate’ phone calls. More recently, spokespersons like ex-FCC lawyer Josh Bercu of the US Traceback Consortium have begun lecturing countries with fewer nuisance calls about the alleged wave of enforcement activity occurring in the USA. The FCC’s own press release paints a contrasting picture about how much this supposed enforcement activity has deterred illegal calls.
On the night of February 6, 2024, and continuing into the morning of February 7, 2024, over a dozen FCC staff and some of their family members reported receiving calls on their personal and work telephone numbers that transmitted the following artificial and prerecorded voice message:
“Hello [first name of recipient] you are receiving an automated call from the Federal Communications Commission notifying you the Fraud Prevention Team would like to speak with you. If you are available to speak now please press one. If you prefer to schedule a call back please press two.”
The FCC has no such “Fraud Prevention Team” and the FCC was not responsible for these calls. The FCC’s Enforcement Bureau believes the purpose of the calls was to threaten, intimidate, and defraud. One recipient of an imposter call reported that they were ultimately connected to someone who “demand[ed] that [they] pay the FCC $1000 in Google gift cards to avoid jail time for [their] crimes against the state.”
Fraud professionals with sharp instincts may have noticed one important fact that nobody at the FCC will choose to dwell upon: the fraudsters knew the names of the people they were calling, and programmed their calls accordingly. The increased sophistication of technology, coupled with atrocious attitudes to data protection, means Americans can be targeted by scams more precisely than ever before. These particular fraudsters were not that clever: they called people in the FCC whilst pretending to be people from the FCC. But what will happen when a scammer uses similar techniques to target employees of a hospital, or the students of a particular university, or former prisoners on parole, or members of a particular pension scheme? Will the FCC also swing into action to protect them, or do they only act when the victims are employees of the FCC or members of the ruling political party? The so-called success of the current US strategy is mostly measured by attempting to count the total number of bad calls that are connected. That raw figure is now misleading. Criminals are switching to more targeted scam campaigns which make fewer calls overall but where each call has a greater chance of deceiving the recipient.
The FCC has repeatedly tried to shift responsibility for tackling crime on to other parts of the communications ecosystem. They want technologies that identify and block illegal calls automatically, even though such technologies would inevitably block some legal calls too. But telcos do not want to block illegal calls that might actually be legal. So now the FCC is realizing that there is a need to stop bad callers, instead of just stopping the bad calls. If they fail for long enough, they may eventually realize that the worst fault lies with the people that the FCC never criticizes: itself and its political masters. The US comms regulator and the US government are responsible for a dysfunctional legal and regulatory system that almost never punishes the people who originate illegal calls, and hence offers no deterrence to organized crime.
A telco can have the toughest KYC checks in the world, but that will accomplish little if crooks always remain free. Career criminals will repeatedly adopt false identities, then use them to test each telco’s KYC defenses in turn. The legal and regulatory system needs to support the efforts of the private sector by punishing the bad actors identified by both KYC checks and traffic analytics. Instead of treating the legal system as the bedrock for maintaining law and order, which would require them to own their past failings, the FCC predictably and routinely shifts all blame to the private sector:
Under FCC rules, all voice service providers, including Telnyx, are obligated to know their customers and exercise due diligence before allowing them to originate calls. Telnyx apparently failed to verify the identity of its customer that placed the scam robocalls. As the companies responsible for introducing calls onto the public voice network, originating providers are best positioned to prevent illegal calls by stopping them before they begin.
And as the people who run the police and the courts and the prisons, the government is best positioned to prevent illegal calls by putting criminals behind bars! But note again how the FCC repeats disinformation about FCC rules. It seems not to occur to some people to question where these rules are, and what they actually state. Sadly, numerous private sector cronies have assisted the FCC’s misdirection. Businesses are trying to sell tools that might have some value if underpinned by robust legal deterrents and robust KYC. The US has neither, so they just pretended there are robust legal deterrents and robust KYC in order to keep making more sales.
The net result has been many wasted years when the truth should always have been apparent. Too many industry insiders have spoken about processes and technologies to aid the enforcement of rules that only existed in their imagination. Nothing is gained by the US industry spending half a billion dollars on using STIR/SHAKEN to ‘authenticate’ calls if some comms providers do not check who is actually making those calls. Anti-fraud professionals should have been working on a robust common standard during the time that has been lost due to the distracting combination of FCC propaganda and vacuous tech marketing. There is always a need for somebody to do KYC before a call can truly be authenticated. None of the STIR/SHAKEN boosters ever thought about how to do KYC. They just repeated the word ‘authentication’ over and over again, as if technology would magically do a job that needs to be performed by a human being who judges the risk of accepting a new customer.
All of these failings would be bad enough if they were limited to one country. What really appalls is that lobbyists who were responsible for the calamitous failings of the US strategy have been continuously pushing for other countries to repeat the same mistakes, with insufficient opposition from professionals who should know better. I can understand why lawyers hide behind words, even when those words say almost nothing. I can even understand (but not forgive) engineers who like to discuss flashy technology whilst divorcing themselves from the practical aspects of how well it will perform in real life. It is a tragedy that some anti-fraud professionals behaved as if STIR/SHAKEN was their friend, whilst failing to say anything about the practical challenges involved in discriminating between a legitimate customer and a criminal.
American anti-fraud professionals who said nothing about KYC either before or after the adoption of STIR/SHAKEN have shamed themselves. That massive investment in a new and overhyped technology should have been a golden opportunity to insist upon increased expenditure on staff that are trained to identify fraudsters. But instead of warning their peers in other countries, they allowed disinformation about the status of KYC requirements to be spread unchallenged because they thought it would be a way to increase their own importance. They hoped to export tougher standards to other countries that send traffic to the USA as compensation for failing to impose higher standards within the USA. That was a grievous mistake.
Standards cannot rise if standards are not written down, then adopted, then enforced. Poor countries are not going to spend a fortune on denying criminals access to the global communications ecosystem if the same criminals can continue to pay an American business to provide that access. The US industry, being concerned by the number of robocalls received by Americans, should have led the development of KYC standards with the intention that these standards would gain traction globally. Apart from occasional exceptions, such as the voluntary KYC standard promoted by the Cloud Communications Alliance (CCA), and the model KYC standard published by Numeracle, there has been a distinct lack of progress towards the US industry agreeing common KYC expectations.
Unlike the FCC and its cronies, I do not have a multimillion dollar budget. I do not have a team of PR goons to prettify the dissembling of a team of well-paid lawyers. I can only use this cheap but widely-read website to state simple facts that should be obvious, despite other people pretending they are false. The USA has no real rules about the KYC checks that comms providers should execute before they accept a customer that intends to make communications in bulk. This puts businesses like Telnyx in an invidious position. There is no way for them to tell if their KYC is stricter or weaker than that of their rivals. If weaker, then perhaps it is fair to criticize them for doing too little to prevent harm. If stricter, they will definitely lose revenue but the same harm will still originate on another network. That is why pushing for a consistent global standard for KYC of bulk communicators is one of the three missions that caused me to bring Commsrisk back.
Perhaps my draft KYC code of conduct is terrible, though I hope not, because it is mostly copied from the work of the CCA and Numeracle that was mentioned above. Perhaps you know how to improve it. Demand changes to it, if they are needed. But please do not ignore it, like the US authorities have ignored the detail that needs to go into effective KYC. This message goes especially to the regulators who read Commsrisk. Learn from the mistakes made in the USA instead of repeating them. Do not be fooled into thinking a large chunk of the global communications industry has good and robust KYC rules just because some people pretend those rules exist. And for everyone else, you may want to consider joining One Consortium, where I hope that my draft KYC code of conduct will be offered for debate in the near future.
The FCC’s explanation of the proposed USD4.5mn fine of Telnyx can be found here.



