On Thursday, September 30, 2021, the FCC released a Notice of Proposed Rulemaking (“NPRM”) that seeks comment on its proposal to amend Local Number Portability and Customer Proprietary Network Information rules to protect consumers against SIM swapping and port-out fraud. To combat SIM swapping fraud, the NPRM proposes to require carriers to use secure methods of authenticating a customer before effectuating a SIM swap and to immediately notify customers whenever a SIM change or port request is made on customers’ accounts. The NPRM seeks comment on this proposal and also seeks comment on:
- What methods of authentication should be required. The NPRM suggests the following secure methods of authentication: use of a pre-established password; a one-time passcode sent via text message to the account phone number or a pre-registered backup number; a one-time passcode sent via e-mail to the e-mail address associated with the account; or a passcode sent using a voice call to the account phone number or a preregistered back-up telephone number. The NPRM seeks comment on whether these methods are overly burdensome for the carriers or customers, and whether they would impede certain customers from updating their SIM cards, whether there are other methods of authentication that would prevent SIM fraud, and how to address updates in authentication technology, among other things.
- What an appropriate implementation period is for wireless carriers to implement changes to their customer authentication process. The NPRM suggests that “speedy implementation is appropriate,” and seeks comment on barriers to a short implementation timeline, ways to eliminate or reduce obstacles, and whether smaller wireless carriers will need additional time to implement the requirements proposed.
- Requiring wireless carriers to develop procedures for responding to failed authentication requests, such as implementing a requirement that SIM swaps be delayed for 24 hours in the case of multiple failed authentication requests while notifying the customer.
- Requiring wireless providers to notify customers immediately of any requests for SIM changes. The NPRM seeks comment on how the notification should be provided, what methods would most effectively alert customers to SIM fraud, and whether to implement a 24 hour delay to notify the customer of a SIM swap request, that the customer could shorten via verification.
- Potential remediation efforts for SIM swap fraud, including whether to require carriers to respond and offer redress within a specific time frame.
- Whether the revised customer authentication measures should apply only to wireless carriers and only with respect to SIM swap requests, or if it should be expanded to all providers covered by the CPNI rules. Similarly, the NPRM seeks comment on whether the new rules should apply to only certain wireless services, such as pre-paid services.
- Additional methods to prevent SIM swapping fraud, including whether to impose customer service, training, and transparency requirements designed to prevent SIM swap fraud, require carriers to collect data about SIM swap fraud, and any other changes to the FCC’s rules to combat this fraud.
To combat port-out fraud, the NPRM proposes to require wireless carriers to provide notification to customers through text message or other push notification to the customer’s device whenever a port-out request is made to ensure that customers may take action in the event of an unauthorized port out request. The NPRM seeks comment on this proposal and also on:
- Whether carriers currently notify customers of port out requests, and if not, how much time they would need to implement such a requirement. Similarly, the NPRM asks if this is a sufficient requirement to stop port-out fraud, or whether they should require authentication through other means.
- What other technical or innovative solutions for customer authentication may be implemented to reduce port-out fraud.
- Requiring all wireless providers, including resellers, to offer customers the option to place a “port-freeze” on their accounts at no cost to the customer, similar to the local exchange carrier rules that allow customers to prevent changes in their account unless the customer gives express consent. The NPRM seeks comment on whether this would be effective, how to notify customers of this new feature, whether to extend the local exchange carrier rules regarding solicitation and imposition of this option to wireless carriers, and how to address customers who lock their account but cannot remember the information necessary to unlock it.
- Codifying the types of information carriers must use to validate simple wireless-to-wireless port requests to include telephone number, account number, and zip code, plus a passcode field (if customer-initiated). The NPRM also seeks comment on whether additional information should be required and whether the passcode filed should be required for all port requests.
- Potential remediation efforts for port-out fraud, including imposing requirement that carriers respond and offer redress within a specific time frame.
- Additional methods to prevent port-out fraud, including tracking information about port-out fraud, whether the Local Number Portability Administrator can help stop port-out fraud, customer training, and record retention requirements.
Comments will be due 30 days after publication in the Federal Register and reply comments will be due 60 days after publication in the Federal Register.
Please Contact Us if you have any questions.