On November 20, 2023, the FCC released the Report and Order and Further Notice of Proposed Rulemaking adopting rules to address SIM swapping and port-out fraud.
Report and Order
In the R&O, the FCC establishes “baseline rules” to establish a uniform framework to address SIM swap and port-out fraud, but does not specifically proscribe how providers must comply with the rules. The FCC finds that this approach will allow providers flexibility to establish fraud prevention measures that work best for their networks, companies, customers, and unique circumstances, while also ensuring that there is a baseline of protection for consumers. To achieve this, the FCC is revising its Customer Proprietary Network Information (“CPNI”) and Local Number Portability (“LNP”) methods to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s number to a new device or provider. They also require providers to immediately notify customers whenever a SIM change or port-out request is made. The FCC notes that providers will be required to comply with the modified rules except where the Safe Connections Act requires alternate procedures to be used.
Specifically, the R&O adopts the following rules and requirements:
- Updated Customer Authentication Requirements: The FCC requires wireless providers, prior to conducting a SIM change or port, to use secure methods to authenticate a customer that are reasonably designed to confirm a customer’s identity. Wireless providers are required to regularly, and not less than annually, review and as necessary update their customer authentication methods to ensure they remain secure. The FCC cautions providers that methods of authentication that use readily available biographical information, account information, recent payment information, and call detail information do not constitute secure methods of authentication.
- Response to Failed Authentication Attempts: The FCC requires providers to immediately notify customers in the event of failed authentication attempts in connection with SIM change or port-out requests. The notification must be reasonably designed to reach the customer associated with the account, but otherwise, wireless providers are permitted to determine the method of providing these notifications. The notifications must use “clear and concise language.” Providers are required to develop, maintain, and implement procedures for responding to failed authentication requests that are reasonably designed to prevent unauthorized access to a customer’s account.
- Customer Notification of SIM Changes/Port–Out Requests: The FCC requires wireless providers to immediately notify customers of any requests for a SIM change associated with the customer’s account or requests to port a number. The notification must be delivered before the carrier completes the SIM change or port out request. Wireless providers may determine the method of providing the notification provided it is reasonably designed to reach the customer associated with the account and is delivered in accordance with customer preferences.
- Account Locks for SIM Changes/Port–Out Requests: The FCC requires wireless providers to offer all customers (pre-paid and post-paid), at no cost, the option to lock or freeze their account to stop SIM changes and port-out requests. Providers have flexibility on how to comply with this measure, provided that the process to activate and deactivate an account lock is not unduly burdensome for customers such that it effectively inhibits them from implementing their choice. Providers may not fulfill SIM change requests or port numbers until the customer deactivates the lock. Providers may proactively initiate a SIM swap lock when the provider believes the customer may be at high risk of fraud, provided customers are notified of the lock and the carrier complies with customer requests to deactivate it. Proactive initiation of a lock must be limited in duration and extend only so long as the high risk of fraud is evident to the provider.
- Tracking Effectiveness of the Protection Measures: The FCC requires wireless providers to track and maintain information regarding SIM change and port-out requests and their authentication measures, and to retain that information for three years. Providers are encouraged to retain information that will help them measure the effectiveness of their customer authentication and account protection measures.
- Safeguards on Employee Access to CPNI: The FCC requires all telecommunications carriers to establish safeguards and processes so that employees who interact directly with customers are unable to access CPNI until after a customer has been properly authenticated.
- Telecommunications Carriers’ Duty to Protect CPNI: The FCC reminds carriers that they are statutorily required to protect the confidentiality of proprietary information of and relating to customers and that they have an existing legal obligation to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.
- Customer Notification of Account Protection Measures: The FCC requires wireless providers to provide notice, using clear and concise language, of any account protection measures that the provider offers, including measures adopted in the Draft R&O, and make the notice easily accessible via provider websites and applications.
- Employee Training: The FCC requires wireless providers to develop and implement training for employees on how to identify, investigate, prevent, and remediate SIM swap and port-out fraud.
- Requirements to Remedy SIM Swap and Port–Out Fraud: The FCC requires wireless providers to maintain a clearly disclosed, transparent, and easy-to-use process for customers to report SIM swap and port-out fraud, promptly investigate and take reasonable steps within their control to remediate such fraud, and, upon request, promptly provide customers with documentation of SIM swap and port-out fraud involving their accounts. These measures must be provided at no cost.
- Implementation Timeframe: The FCC requires wireless providers to comply with the requirements in the Draft R&O six months after the effective date of the R&O (30 days after publication in the Federal Register) or, for those requirements subject to review by the Office of Management and Budget (“OMB”), upon completion of that review, whichever is later.
Further Notice of Proposed Rulemaking
In the FNPRM, the FCC seeks comment on the following:
- Harmonizing the existing requirements governing customer access to CPNI with the SIM Change authentication and protection measures adopted in the R&O.
- Steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud.
- Other consumer protection measures.
- Digital equity and inclusion considerations.
Comments will be due 30 days after Federal Register publication.
Reply comments will be due 60 days after Federal Register publication.
Please Contact Us if you have any questions.