The FCC’s Compliance Overhaul: What Providers Need to Know

Show Notes

The FCC is proposing a sweeping overhaul of its robocall framework, signaling a shift toward stricter, more prescriptive compliance requirements. In this episode, we break down the key elements of the FNPRM—from the introduction of Know Your Upstream Provider (KYUP) obligations to expanded KYC rules and tighter STIR/SHAKEN standards. We also explore what these changes mean for operational processes, compliance costs, and industry accountability. Tune in to understand how this evolving regulatory landscape could reshape voice service providers’ approach to risk management and compliance.

 

Read the full article

FCC’s KYUP FNPRM Signals a Further Shift Toward Prescriptive Robocall Compliance Obligations

 

About the authors

Susan Duarte, CIPP (US/E), CIPM

Jill Canfield

Stephen T. Sharbaugh

Transcript

Welcome to Womble Perspectives, where we explore a wide range of topics, from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever changing legal landscape.

With a focus on innovation, collaboration and client service. We are committed to delivering exceptional value to our clients and to the communities we serve. And now our latest episode.

Host A:
In today’s episode, we're diving into the regulatory shift caused by the FCC’s latest proposal targeting robocalls.

 

Let’s start with the big picture. The FCC’s Further Notice of Proposed Rulemaking is expanding obligations dramatically. Providers would now be responsible for addressing all illegal calls, not just high-volume robocalls.

 

Host B:
Previously, enforcement focused mainly on scale, large volumes of suspicious traffic. Now, the expectation is much broader, covering even isolated violations.

 

Host A:
One of the most notable additions is something called KYUP—Know Your Upstream Provider. Think of it as due diligence on the partners sending you traffic. Providers would need structured processes to vet upstream partners, monitor their traffic, and validate caller ID information.

 

And the FCC wants continuous oversight—at onboarding, during contract renewals, and whenever new concerns arise.

 

Host B:
Which brings us to a recurring theme in this proposal: operationalizing compliance. The FCC is essentially saying, “It’s not enough to do the right things—you need to prove you’re doing them.” And that means formal compliance programs, documented workflows, multi-year recordkeeping, and clear coordination between compliance and business teams.

 

Monitoring now becomes central. What used to be considered a best practice—like call analytics and regular compliance checks—would now be expected as standard operating procedure.

 

Host A:
Now alongside Know Your Upstream Provider, there’s another parallel effort the FCC is pursuing—expanding its Know Your Customer requirements.

 This expansion would impose detailed obligations around customer identity verification and recordkeeping—essentially tightening control at the origination level.

 

Host B:
Critics argue that this adds significant operational complexity. There’s also concern around data privacy—collecting and storing more sensitive customer information naturally raises risk.

 

And cost is a major factor too. Even though the FCC suggests many providers already perform some of these activities, formalizing them into strict processes could be expensive.

 

Host A:
Let’s shift focus to enforcement. The proposal introduces an “objectively reasonable” standard. Providers must be prepared to take documented, timely action when problems arise.

 That could mean refusing or even terminating service to upstream partners who present compliance risks.

 

And these decisions need to be defensible. It’s not just about what action you take—but how well you can demonstrate your reasoning and process.

 

Host B:
Another major piece of this proposal focuses on STIR/SHAKEN—specifically tightening attestation practices.

 

For those unfamiliar, STIR/SHAKEN is the framework used to authenticate caller ID information. The FCC wants to codify the attestation levels—A, B, and C—and crack down on improper use.

 

And that’s aimed at addressing inconsistencies and perceived abuses that have weakened trust in the system.

 

Host A:
There’s also a push for broader accountability. The FCC is proposing enhanced oversight of the Governance Authority and expanding participation requirements across all provider types.

 

So when you step back, the overarching message is clear: the FCC believes gaps in enforcement and inconsistent practices have undermined the current system.

  

And their solution is more uniformity, more documentation, and more accountability—across the entire call path.

 

Host B:
For providers, this means informal or ad hoc processes won’t cut it anymore. Compliance programs will need to be fully developed, structured, and continuously monitored.

 And perhaps most importantly—auditable. Providers will need to show not just outcomes, but the integrity of the processes behind those outcomes.

 

Bottom line? Expect increased scrutiny, higher compliance costs, and a stronger emphasis on risk management.

Thank you for listening to Womble Perspectives. If you want to learn more about the topics discussed in this episode, please visit The Show Notes, where you can find links to related resources mentioned today. The Show Notes also have more information about our attorneys who provided today's insights, including ways to reach out to them.

Don't forget to subscribe via your podcast player of choice so that you never miss an episode. Thank you again for listening.