Despite years of Federal Communications Commission (FCC) regulatory action, illegal robocalls remain one of the most pervasive consumer harms in American telecommunications. The industry’s efforts have not been without meaningful results: by 2025, approximately 85% of voice traffic exchanged between Tier-1 carriers was signed and verified using STIR/SHAKEN protocols, with 93% of those signed calls bearing the highest “A-level” attestation. Yet even as authentication coverage has grown, bad actors have demonstrated a persistent and troubling ability to adapt — exploiting gaps in call-signing protocols, abusing attestation levels, and routing traffic through less-scrutinized segments of the network.
The statistics that concern regulators most are not about volume, but about circumvention. Data provided to the FCC by the American Bankers Association demonstrated that criminals are capable of obtaining A-level or B-level attestation — the highest trust indicators in the STIR/SHAKEN framework — for fraudulent calls. In December 2025, prolific robocall signers were authenticating 88.1% of their calls at the A-level attestation tier. This is not a peripheral loophole; it is a direct exploitation of the trust architecture that the framework was built to protect. As TransNexus researchers observed, some authentication providers appeared to be deliberately routing calls over non-IP segments to strip authentication information and obscure identity.
The FCC’s enforcement record has correspondingly grown more aggressive. In August 2025, the Commission removed over 1,200 non-compliant voice service providers from the Robocall Mitigation Database (RMD) in a single sweep, effectively cutting them off from U.S. phone networks. Four concurrent enforcement actions in September 2025 — against providers for illegal traffic, traceback deficiencies, and missing mitigation plans — illustrated the Commission’s dual-track enforcement posture: address illegal traffic in real time and remove non-compliant providers from the ecosystem entirely. The message from the FCC was unambiguous: robocall compliance is no longer a checkbox exercise, but a business continuity requirement.
The Latest FCC Effort: Know Your Upstream Provider
On April 29, 2026, the FCC released a draft Further Notice of Proposed Rulemaking (FNPRM) that proposes new rules that impose stringent “Know-Your-Upstream-Provider” (KYUP) obligations on voice service providers, gateway providers, VoIP resellers, and other entities in the call path.
The draft KYUP FNPRM is the latest link in a chain of increasingly ambitious robocall proceedings that stretches from the TRACED Act of 2019 through a series of successive Reports and Orders and Further Notices of Proposed Rulemaking.
The Commission’s foundational step was the STIR/SHAKEN mandate, which required all major carriers to implement caller ID authentication across IP networks. Subsequent proceedings progressively expanded that obligation outward from large carriers to gateway providers, then to intermediate providers.
In 2023, the FCC released a Sixth Report and Order that adopted a mandatory authentication requirement for the first intermediate provider in the path of an unauthenticated SIP call, with a compliance deadline of December 31, 2023. A 2025 Order limited the use of third-party STIR/SHAKEN authentication, requiring carriers to use their own Service Provider Code (SPC) tokens and certificates, effective September 18, 2025.
At the March 2026 Open Meeting, the FCC adopted a Notice of Proposed Rulemaking targeting telephone numbering policies, seeking to restrict number resale to a single level, enhance NRUF reporting transparency, and address “number cycling” — the practice of rapidly rotating through large blocks of telephone numbers to evade detection. The Commission noted that cycled numbers can receive full STIR/SHAKEN attestation, effectively undermining authentication-based protections. This proceeding and the KYUP FNPRM represent a concerted effort by Chairman Brendan Carr to attack robocall fraud “at every single portion of the life cycle of a call,” rather than focusing on isolated bad actors.
KYC + KYUP: A Double-Barreled FCC Regulatory Push
The KYUP FNPRM must be understood in tandem with the separate Know-Your-Customer (KYC) proceeding that the Commission considered at its April 30, 2026, Open Meeting. The FCC unanimously voted to move forward with the KYC rulemaking, which focuses on how originating voice service providers screen new and renewing end-user customers before calls are placed. That FNPRM (FCC 26-27) proposes requiring providers to verify customer identities before enabling service — including confirmation of name, address, government-issued ID, and alternative phone numbers — and to assess penalties on a per-call basis, creating a potentially exponential liability model for high-volume originators.
On April 29, 2026, the FCC released the KYUP draft FNPRM, teed up for a vote at the May 20, 2026, Open Meeting. The proceeding is docketed as WC Docket No. 17-97 and CG Docket No. 17-59. While the KYC item addresses the provider-customer relationship at the point of call origination, the KYUP FNPRM addresses the provider-to-provider relationship throughout the call chain. The two rulemakings function as complementary layers of a more comprehensive compliance architecture: if the KYC rules create gatekeeping obligations at the customer-facing edge, the KYUP rules create gatekeeping obligations at every wholesale, reseller, intermediate, and gateway interconnection point in between.
The Five Core FCC KYUP Obligations
The draft FNPRM’s most significant substantive contribution is the proposed codification of five specific baseline categories of Know-Your-Upstream-Provider obligations. Current FCC rules require voice service providers to take “reasonable and effective steps” to ensure that upstream providers are not using the provider to carry a high volume of illegal traffic — a principles-based standard that the Commission believes has been applied inconsistently. The FNPRM would replace that standard with affirmative, effective measures to prevent an upstream provider from using the provider’s network or services to transmit illegal calls. The five proposed categories are:
- Information Collection — Providers would be required to obtain core business, ownership, affiliate, financial, operational, and service information from upstream providers before establishing a traffic relationship.
- Compliance Review — Providers would confirm the upstream provider’s RMD filing status and review whether the filing and robocall mitigation plan appear complete and substantively compliant, not merely present in the database.
- Information Verification — Providers would conduct due diligence to independently verify the authenticity and consistency of information provided by the upstream provider, rather than accepting representations at face value.
- Ongoing Monitoring — Providers would monitor upstream-provider activity for signs of unlawful traffic, suspicious call patterns, traceback evidence, complaint data, and other red flags on a continuing basis.
- Responsive Action — Providers would be required to refuse service, suspend service, or discontinue service when an upstream provider may be the source of illegal calls or otherwise presents an unacceptable risk.
The draft also specifies when KYUP review is triggered: before entering into a new upstream-provider agreement, before renewing or renegotiating an existing agreement, and whenever the provider finds or becomes aware of information suggesting risk. A one-time KYUP review of all existing upstream-provider relationships would also be required after any final rules become effective.
Strengthening the STIR/SHAKEN Ecosystem
The FNPRM does not stop at upstream-provider vetting. A second major pillar of the proposal addresses known weaknesses in the STIR/SHAKEN governance structure and attestation standards. The FCC would strengthen the role of the STIR/SHAKEN Governance Authority by proposing improved policies for issuing Service Provider Code (SPC) tokens, selecting Certification Authorities, and enforcing participation rules. The policy objective is to make it harder for bad-actor providers to obtain or retain access to the certificates they need to participate in the STIR/SHAKEN ecosystem — directly targeting the shell-company exploitation model, whereby fraudulent entities obtain high-trust certificates by presenting themselves as legitimate providers.
The draft would codify the A-, B-, and C-level attestation framework and establish more specific, enforceable criteria for when each level may be used:
- A-level attestation would require the provider to support both the identity of the customer and the customer’s right to use the calling number.
- B-level attestation would require a direct, authenticated relationship with the customer, but would apply where the provider cannot establish verified association with the telephone number.
- C-level attestation would remain appropriate where the provider lacks responsibility for origination or lacks a direct, authenticated relationship with the customer.
Crucially, the FCC would also codify explicit prohibitions on improper attestations — specifically, practices that overstate the provider’s knowledge of the calling party or the calling party’s right to use the number. This creates clearer enforcement hooks for attestation misuse, directly addressing the documented problem of prolific robocall signers applying A-level attestations to fraudulent calls.
Foreign-Originated Traffic: A Persistent Vulnerability
The FNPRM also asks whether the proposed KYUP and STIR/SHAKEN reforms would adequately deter illegal calls entering the United States from abroad, and whether additional measures are needed for foreign-originated traffic. This question is significant. The Industry Traceback Group previously reported that in 2021, 65% of voice service providers identified as transmitting illegal robocalls were either foreign-based or gateway providers.
While subsequent rule cycles have imposed increasingly rigorous obligations on gateway providers, foreign-originated traffic remains a structural challenge: STIR/SHAKEN covers U.S. NANP numbers, and calls entering through less-scrutinized gateway relationships can exploit gaps in authentication coverage.
The October 2025 Ninth FNPRM had already proposed requiring gateway providers to mark calls that originate from outside the United States and requiring all providers downstream to transmit that indicator to consumer handsets. The KYUP FNPRM adds a related layer of pressure by requiring gateway and international providers to satisfy the same KYUP obligations that apply to domestic wholesale and intermediate relationships, potentially requiring providers to vet foreign upstream partners with the same rigor now contemplated for domestic arrangements.
Compliance Implications for Voice Service Providers
The FNPRM is not a final rule — it opens a comment cycle (comments due 30 days after Federal Register publication; replies due 60 days after Federal Register publication) — but the direction of travel is clear enough to require immediate action planning. Providers should treat the draft as a preview of likely final obligations.
The compliance surface implicated by the KYUP FNPRM is wide. Provider contracts, onboarding workflows, RMD representations, call analytics systems, traceback response protocols, SPC token and certificate status, third-party signing agreements, and routing practices could all become relevant evidence in a future enforcement inquiry.
Several categories of providers face elevated exposure. Wholesale and resale providers will need to overhaul their standard onboarding practices, which currently tend to rely on contract representations and RMD status checks alone. Existing KYUP obligations on gateway providers will be strengthened and made more prescriptive, and the FNPRM’s questions on foreign-originated traffic signal continued scrutiny of international call-path practices.
A Maturation of the Robocall Regulatory Model
The draft KYUP FNPRM represents a maturation of the FCC’s approach to robocall regulation. The Commission is moving away from a regime in which providers could satisfy their obligations through certification filings and broadly worded policy commitments, and toward one that demands documented, verifiable, ongoing due diligence at every interconnection point in the voice call ecosystem. When read alongside the KYC rulemaking, the numbering policy NPRM, and the ongoing tightening of STIR/SHAKEN governance, the FNPRM reflects a deliberate and comprehensive theory of regulatory accountability: providers are responsible not merely for their own conduct, but for the conduct they knowingly enable.
For telecommunications counsel and compliance professionals, the FNPRM comment cycle represents both a significant participation opportunity and an operational planning trigger. The proposed baseline KYUP categories, attestation standards, and loophole-closing measures are likely to form the foundation of a final rule. Providers that begin mapping their current onboarding, monitoring, and attestation workflows against the proposed framework now — rather than waiting for final rules — will be better positioned for both comment filing and compliance readiness.
This article was prepared for informational purposes and does not constitute legal advice. Voice service providers, gateway providers, and entities in the call path should consult qualified telecommunications counsel to assess the specific implications of the draft FNPRM for their operations.
