You make a good point about "KYC as a proxy for fraud mitigation". Validating a name/address/mobile number might deter the casual criminals, but a serious threat actor will be equipped to pass the KYC barriers.
In regards to any regulatory requirements, this is a follow up to a thread from December, quoted below for reference. https://puck.nether.net/pipermail/voiceops/2023-December/010278.html Justin B Newman justin at ejtown.org Tue Dec 12 17:52:31 EST 2023 > > I am not a lawyer. Anyone considering offering any VoIP services today > should have a lawyer well versed in the Act and the associated regulations. > Starting a VoIP service in the US is no longer an easy or regulation-free > endeavor. > > Within the United States, the TRACED Act required the FCC to establish > regulations "including by establishing registration and compliance > obligations, and requirements that providers of voice service given access > to number resources take sufficient steps to know the identity of the > customers of such providers, to help reduce access to numbers by potential > perpetrators of violations of section 227(b) of the Communications Act of > 1934 (47 U.S.C. 227(b))." > > 47 USC 227(b) regulates Automated Telephone Equipment, for what it's worth. > > In the December 22, 2020 Caller ID Authentication Best Practices, (WC > Docket Nos. 17-97 and 20-324, DA-1526), the FCC outlines _voluntary_ > practices for know your customer (KYC), but emphasizes they are voluntary. > Specifically, they recommend, "Voice service providers should vet the > identity of retail and wholesale subscribers, in conjunction with (i) > approving an application for service; (ii) provisioning of network > connectivity; (iii) entering into a contract agreement; or (iv) granting > the right-to-use telephone number resources." > > But further, 47 CFR § 64.1200(n)(3) requires a provider to, "Take > affirmative, effective measures to prevent new and renewing customers from > using its network to originate illegal calls, including knowing its > customers and exercising due diligence in ensuring that its services are > not used to originate illegal traffic." > > While I can imagine an argument that one has no KYC obligations if not > supporting outbound, this imposes a clear obligation to perform KYC if > doing outbound calling. That said, I would be uncomfortable receiving a law > enforcement request related to a telephone number I issued (inbound only) > where I was unable to identify the subscriber. Other providers may have > different risk tolerances, but I do not believe interpreting these as > requiring KYC for all number issuance to be uber-conservative. On Thu, Feb 29, 2024 at 11:07 PM Denver Gingerich <[email protected]> wrote: > > On Thu, Feb 29, 2024 at 10:44:20AM -0800, Calvin E. via VoiceOps wrote: > > A complication here is that it's an extra telephone number privacy service, > > and blocking VPN users is becoming another point of "signup friction". Any > > KYC solution we implement won't be able to assume anything from GeoIP > > lookup. For example, one of our North America subscribers had no idea their > > VPN service was reaching us from Saudi Arabia and Armenia. > > I guess I'm not sure what your reason is for KYC here. Do you feel like it's > needed by some regulation? Are you providing phone numbers in countries > whose laws require ID if you register a phone number there? > > > A further complication is free users that don't provide any billing > > information. > > How do they use your service? Do they have to install a specific app? Is it > only available from the App Store or Play Store? There might be > billing-info-like properties if so. > > > What's the minimum and maximum effort others are putting in to filter out > > the Donald Ducks and Scooby-Doos? > > If you believe there's something required by regulation, then I'd look to the > text of the regulation (ideally with a lawyer) to see what efforts that > regulation requires. But I also wonder if you're looking for KYC as a proxy > for fraud mitigation, in which case the solutions will be much different. > You can definitely do successful fraud mitigation without any KYC (e.g. where > your customers pay with anonymous cryptocurrency or cash). > > Denver > https://jmp.chat/ _______________________________________________ VoiceOps mailing list [email protected] https://puck.nether.net/mailman/listinfo/voiceops
