[Federal Register Volume 86, Number 197 (Friday, October 15, 2021)]
[Proposed Rules]
[Pages 57390-57404]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-22099]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Parts 52 and 64
[WC Docket No. 21-341; FCC 21-102; FR ID 52298]
SIM Swapping and Port-Out Fraud
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Commission adopted a Notice of Proposed
Rulemaking (NPRM) that focuses on putting an end to two methods used by
bad actors to take control of consumers' cell phone accounts and wreak
havoc on people's financial and digital lives without ever gaining
physical control of a consumer's phone. In the first type of scam,
known as ``subscriber identity module swapping'' or ``SIM swapping,'' a
bad actor convinces a victim's wireless carrier to transfer the
victim's service from the victim's cell phone to a cell phone in the
bad actor's possession. In the second method, known as ``port-out
fraud,'' the bad actor, posing as the victim, opens an account with a
carrier other than the victim's current carrier. The bad actor then
arranges for the victim's phone number to be transferred to (or
``ported out'') to the account with the new carrier controlled by the
bad actor. This NPRM takes aim at these scams by proposing to amend the
Federal Communications Commission's (Commission) Customer Proprietary
Network Information (CPNI) and local number portability (LNP) rules to
require carriers to adopt secure methods of authenticating a customer
before redirecting a customer's phone number to a new device or
carrier. The NPRM also proposes to require providers to immediately
notify customers whenever a SIM change or port request is made on
customers' accounts, and seeks comment on other ways to protect
consumers from SIM swapping and port-out fraud.
DATES: Comments are due on or before November 15, 2021, and reply
comments are due on or before
[[Page 57391]]
December 14, 2021. Written comments on the Paperwork Reduction Act
proposed information collection requirements must be submitted by the
public and other interested parties on or before December 14, 2021.
ADDRESSES: You may send comments, identified by WC Docket No. 21-341 by
any of the following methods:
Electronic Filers: Comments may be filed electronically
using the internet by accessing ECFS: https://www.fcc.gov/ecfs/.
Paper Filers: Parties who choose to file by paper must
file an original and one copy of each filing.
Filings can be sent by commercial overnight courier, or by first-
class or overnight U.S. Postal Service mail. All filings must be
addressed to the Commission's Secretary, Office of the Secretary,
Federal Communications Commission.
Commercial overnight mail (other than U.S. Postal Service
Express Mail and Priority Mail) must be sent to 9050 Junction Drive,
Annapolis Junction, MD 20701.
U.S. Postal Service first-class, Express, and Priority
mail must be addressed to 45 L Street NE, Washington, DC 20554.
Effective March 19, 2020, and until further notice, the
Commission no longer accepts any hand or messenger delivered filings.
This is a temporary measure taken to help protect the health and safety
of individuals, and to mitigate the transmission of COVID-19. See FCC
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, 35 FCC Rcd 2788 (2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
People with Disabilities: To request materials in accessible
formats for people with disabilities (braille, large print, electronic
files, audio format), send an email to [email protected] or call the
Consumer & Governmental Affairs Bureau at (202) 418-0530 (voice), 202-
418-0432 (TTY).
FOR FURTHER INFORMATION CONTACT: Wireline Competition Bureau,
Competition Policy Division, Melissa Kirkel, at (202) 418-7958,
[email protected]. For additional information concerning the
Paperwork Reduction Act information collection requirements contained
in this document, send an email to [email protected] or contact Nicole
Ongele, [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice
of Proposed Rulemaking (NPRM) in WC Docket No. 21-341, adopted and
released on September 30, 2021. The full text of the document is
available on the Commission's website at https://www.fcc.gov/document/fcc-proposes-rules-prevent-sim-swapping-and-port-out-fraud. To request
materials in accessible formats for people with disabilities (e.g.,
braille, large print, electronic files, audio format, etc.), send an
email to [email protected] or call the Consumer & Governmental Affairs
Bureau at (202) 418-0530 (voice) or (202) 418-0432 (TTY).
Initial Paperwork Reduction Act of 1995 Analysis
This document contains proposed information collection
requirements. The Commission, as part of its continuing effort to
reduce paperwork burdens, invites the general public to comment on the
information collection requirements contained in this document, as
required by the Paperwork Reduction Act of 1995, Public Law 104-13.
Public and agency comments are due December 14, 2021.
Comments should address: (a) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission's burden estimates; (c)
ways to enhance the quality, utility, and clarity of the information
collected; (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated
collection techniques or other forms of information technology; and (e)
way to further reduce the information collection burden on small
business concerns with fewer than 25 employees. In addition, pursuant
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might
further reduce the information collection burden for small business
concerns with fewer than 25 employees.
Synopsis
I. Notice of Proposed Rulemaking
1. We believe that our CPNI and number porting rules are ripe for
updates that could help prevent SIM swapping and port-out fraud. In
this NPRM, we propose to prohibit wireless carriers from effectuating a
SIM swap unless the carrier uses a secure method of authenticating its
customer. We also propose to amend our CPNI rules to require wireless
carriers to develop procedures for responding to failed authentication
attempts and to notify customers immediately of any requests for SIM
changes. We also seek comment on whether we should impose customer
service, training, and transparency requirements specifically focused
on preventing SIM swap fraud. We likewise propose to amend our number
porting rules to combat port-out fraud while continuing to encourage
robust competition through efficient number porting. Finally, we
consider whether we should adopt any other changes to our rules to
address SIM swap and port-out fraud, including the difficulties
encountered by victims of these schemes. We seek comment on our
proposals and invite input from stakeholders on how to best tailor the
rules to combat this growing, pernicious fraudulent activity.
A. Strengthening the Commission's CPNI Rules To Protect Consumers
2. Customer Authentication Requirements for SIM Change Requests. To
reduce the incidence of SIM swap fraud, we propose to prohibit carriers
from effectuating a SIM swap unless the carrier uses a secure method of
authenticating its customer, and to define ``SIM'' for purposes of
these rules as a physical or virtual card contained with a device that
stores unique information that can be identified to a specific mobile
network. As used in our proposed rules, the term ``carrier'' includes
``any officer, agent, or other person acting for or employed by any
common carrier or user, acting within the scope of his employment.'' We
seek comment on these proposals. Consistent with the recommendations
made last year by the Princeton Research team that studied SIM
swapping, we propose that use of a pre-established password; a one-time
passcode sent via text message to the account phone number or a pre-
registered backup number; a one-time passcode sent via email to the
email address associated with the account; or a passcode sent using a
voice call to the account phone number or a preregistered back-up
telephone number would each constitute a secure method of
authenticating a customer prior to a SIM change. We seek comment on
this proposal and whether it will serve as an effective deterrent to
SIM swapping fraud. As used here, a ``pre-established password'' is a
password chosen by the customer for future use to authenticate a
customer for access to account information or to make account changes.
3. Are each of these authentication methods secure? Since 2016, the
National Institute of Standards and Technology (NIST) has recognized
[[Page 57392]]
known risks associated with SMS-based authentication, distinguishing
``SMS-based authentication from other out-of-band authentications
methods due to heightened security risks including `SIM change.' '' In
addition, recent media reports call into question the security of using
text messages for authentication purposes. For example, a recent
investigation found that SMS-based text messages could be easily
intercepted and re-routed using a low-cost, online marketing service
that helps businesses do SMS marketing and mass messaging. As with SIM
swap fraud, once the hacker was able to re-route a target's text
messages, the hacker was also able to access other accounts associated
with that phone number. Wireless carriers reportedly have mitigated the
security vulnerability uncovered in this investigation. Has this
vulnerability has been fixed so that it is no longer a threat to
customers of any carrier? What rules could we adopt to ensure that
authentication using text messages is secure and effective to protect
consumers from SIM swap fraud? Or alternatively, should we prohibit
carriers from using text messaging, or specifically SMS text messaging,
to authenticate customers requesting SIM swaps? What steps could we
take to prevent a customer's text messages from being forwarded without
authorization? Should we, for example, require companies offering the
text forwarding services to call the customer whose texts will be
forwarded to confirm consent prior to forwarding? If so, what authority
may we rely upon to adopt such a rule? Are such methods effective? What
other steps should we take to help secure customers' accounts and text
messages?
4. All of the methods of authentication that we propose to include
in the requirement to authenticate a wireless customer before allowing
for a SIM swap are familiar ones, already used by consumers and
companies in various other circumstances. Based on stakeholder
experience with these methods of authentication, how burdensome would
our proposed authentication requirement be on customers making
legitimate SIM change requests? Would they pose particular challenges
to customers whose phone associated with their account has been lost,
stolen, or destroyed, or customers who are not comfortable with
technology, or to customers with disabilities? Should customers be able
to opt-in or opt-out of certain methods of authentication?
5. We also invite comment on whether there are other secure methods
of authentication that we should allow carriers to use to authenticate
their customers in advance of effectuating a SIM change. What practices
and safeguards do carriers currently employ to authenticate customers
when SIM change requests are made? Have carriers implemented any
processes and protections to address SIM swap fraud specifically? If
so, have those practices been effective? Do carriers use multi-factor
authentication and has it been effective in preventing SIM swap fraud?
If so, should we adopt a multi-factor authentication requirement to
prevent SIM swap fraud? If we do require multi-factor authentication,
is texting sufficiently secure to permit it as an authentication method
for use in multi-factor authentication? Are there emerging technologies
or authentication methods in development that could potentially be
implemented to protect customers from SIM swap fraud? Are there other
security measures incorporated into handsets or operating systems that
can be used to authenticate or otherwise prevent SIM swap fraud? Could
blockchain technologies that store data in a decentralized manner offer
additional security when authenticating customers requesting SIM
changes? Are there limitations in these technologies, such as security,
storage, scalability, and cost that could place a burden on providers
and manufacturers of SIMs? What privacy risks are associated with any
of these methods or others suggested by commenters? How effective would
any of these methods be at deterring SIM swap fraud? As with the
methods we have proposed, what challenges do other secure methods of
authentication pose to customers and how burdensome would they be on
customers making legitimate SIM change requests, particularly those
customers who are no longer in possession of their cell phone because
it was lost, stolen, or destroyed, or customers who are not comfortable
with technology, or customers with disabilities? What are the costs to
carriers for any alternative secure authentication methods?
6. If we adopt a specific set of authentication practices that
carriers must employ before effectuating a SIM change, how can we
account for changes in technology, recognizing that some of these
methods may become hackable over time, while additional secure methods
of authentication will likely be developed over time? We seek comment
on whether instead of requiring specific methods of authentication, we
should adopt a flexible standard requiring heightened authentication
measures for SIM swap requests. The Commission has previously found
that ``techniques for fraud vary and tend to become more sophisticated
over time'' and that carriers ``need leeway to engage emerging
threats.'' The Commission has allowed carriers to determine which
specific measures will best enable them to ensure compliance with the
requirement that carriers take reasonable measures to discover and
protect against fraudulent activity. We observe that to the extent
carriers have already implemented or are considering implementing
additional protections against SIM swap fraud, we want to ensure that
any rules we adopt do not inhibit carriers from using and developing
creative and technical solutions to prevent SIM swap fraud or impose
unnecessary costs. Would codifying a limited set of methods for
authenticating customers in advance of approving SIM swapping requests
reduce carriers' flexibility to design effective measures and, in
effect, reduce their ability to take aggressive actions to detect and
prevent fraudulent practices as they evolve? Could requiring specific
methods of authentication provide a ``roadmap'' to bad actors? What
costs would such requirements impose on carriers, particularly smaller
carriers?
7. To that end, we seek comment whether we should instead require
carriers to comply with the NIST Digital Identity Guidelines, which are
updated in response to changes in technology, in lieu of other
proposals. The NIST Digital Identity Guidelines are a set of guidelines
that provide technical requirements for federal agencies ``implementing
digital identity services,'' focusing on authentication. Would
requiring carriers to adopt and comply with these guidelines ``future
proof'' authentication methods? Would these guidelines effectively
protect consumers in the context of SIM swap fraud? Are these
guidelines generally applicable in the telecommunications context, and
do the guidelines provide sufficient flexibility to carriers? Would
requiring carriers to comply with the guidelines pose any difficulties
for smaller providers, and would the authentication methods recommended
in the guidelines pose any particular challenges to customers? We also
seek comment on whether there are other definitive government sources
that we could consider adopting as appropriate authentication methods.
8. We also seek comment on what would be an appropriate
implementation period for wireless carriers to implement any changes to
their customer authentication processes. Because of the serious harms
associated with SIM swap fraud, we believe that a
[[Page 57393]]
speedy implementation is appropriate. Are there any barriers to a short
implementation timeline and, if so, what are they? What could we do to
eliminate or reduce potential obstacles? Will smaller wireless carriers
need additional time to implement the requirements we propose?
9. Are there other ways we can strengthen the Commission's customer
authentication rules to better protect customers from SIM swap fraud?
For example, for online access to CPNI, our rules require a carrier to
authenticate a customer ``without the use of readily available
biographical information[ ] or account information.'' Given evidence of
the ease with which bad actors can create recent payment or call detail
information, we propose to make clear that carriers cannot rely on such
information to authenticate customers for online access to CPNI. We
invite comment on that proposal.
10. We also seek comment on whether there are other methods of
authentication that carriers should be allowed to implement to prevent
SIM fraud that originates in retail locations. Our rules currently
allow carriers to disclose CPNI to a customer at a carrier's retail
location if the customer presents a valid photo ID. We seek comment on
whether a government-issued ID alone is sufficient for in-person
authentication. How prevalent is in-person fraud using fake IDs as a
source of SIM swap fraud? What role can, and should, retail stores play
in authentication, particularly in situations where customers do not
have access to technology or are not tech savvy? Should customer
authentication requirements be the same for SIM changes initiated by
telephone, online, or in store?
11. We also invite comment on whether we should amend our rule on
passwords and back-up authentication methods for lost or forgotten
passwords. Our rules require a carrier to authenticate the customer
without the use of readily available biographical information or
account information to establish the password. We permit carriers to
create a back-up customer authentication method in the event of a lost
or forgotten password, but such back-up customer authentication method
may not prompt the customer for readily available biographical
information or account information. Should we make changes to this
requirement? If so, what changes are needed? Do the existing rules
create vulnerabilities that should be addressed? Should these
requirements be updated to reflect any changes in technology? How would
they enhance the protections already provided to consumer passwords?
12. Response to Failed Authentication Attempts. We propose to
require wireless carriers to develop procedures for responding to
failed authentication attempts, and we seek comment on this proposal.
We seek comment on what processes carriers can implement to prevent bad
actors from attempting multiple authentication methods while at the
same time ensuring that protections do not negatively impact legitimate
customer requests. For example, would a requirement that SIM swaps be
delayed for 24 hours in the case of multiple failed authentication
attempts while notifying the customer via text message and/or email, be
effective at protecting customers from fraudulent SIM swaps? If we
adopt such a rule, should we specify the number of attempts, and if so,
how many attempts should trigger the 24-hour delay? How burdensome
would this be for customers, and what costs would this impose on
carriers? How long would it take carriers to develop and implement
procedures for responding to failed authentication attempts? Would such
a requirement have anti-competitive effects?
13. Customer Notification of SIM Change Requests. As part of our
effort to protect consumers from fraudulent SIM swapping, we propose to
require wireless providers to notify customers immediately of any
requests for SIM changes. We seek comment on this proposal. Is it
unnecessary if we adopt specific heightened authentication requirements
prior to providing a SIM swap? Or will it provide a worthwhile second
line of protection against fraudulent SIM swaps?
14. Our CPNI rules currently require carriers to notify customers
immediately whenever a password, customer response to a back-up means
of authentication for lost or forgotten passwords, online account, or
address of record is created or changed. This notification may be
through a carrier-originated voicemail or text message to the telephone
number of record, or by mail to the address of record, and must not
reveal the changed information or be sent to the new account
information. As the Commission found with respect to these other types
of account changes, we believe that notification of SIM change requests
could be an important tool for customers to monitor their account's
security, and could help protect customers from bad actors ``that might
otherwise manage to circumvent [ ]authentication protections'' and
enable customers ``to take appropriate action in the event'' of
fraudulent activity. Do commenters agree?
15. We also seek comment on how this notification should be
provided to customers. We believe that the verification methods
provided in our rules for other types of account changes may be
insufficient to protect customers from SIM swap fraud because in these
situations, the bad actor has taken control of the customer's account
and any verification communications sent after the transfer by
voicemail or text may be directed to the bad actor rather than to the
victim. Moreover, mail to the address of record will likely be too slow
to stop the ongoing fraud that may involve financial accounts, social
media profiles, and other services. We therefore propose to amend our
rules to include notification requirements that would more effectively
alert customers to SIM fraud on their accounts and seek comment on what
types of notification would be most effective in alerting customers to
SIM swap fraud in progress. Would email notification be more effective?
Should we retain the option to send such notifications by mail even
though this method involves significant delay? Should carriers be
required to give customers the option of listing a personal contact
(e.g., a spouse or family member) and then inform that contact that the
customer is requesting a SIM swap? What other methods of communication
could be used to get timely notification to customers, particularly
those customers who are no longer in possession of their device because
it has been lost or stolen?
16. In addition to immediate customer notification of requests for
SIM swaps, we seek comment on requiring up to a 24-hour delay (or other
period of time) for SIM swap requests while notifying the customer via
text message, email, through the carrier's app, or other push
notification and requesting verification of the request. Once a
customer verifies the SIM change request either via text, the carrier's
app (if the device is in the customer's possession), an email response,
or the customer's online account, the carrier would be free to process
the SIM change. If we adopt heightened authentication requirements, is
a temporary delay in transferring the account to a new SIM necessary to
ensure sufficient time for a customer to receive the notification of
activity on the account and take action if the customer has not
initiated the changes? Would this requirement be effective in
preventing SIM swap fraud? How burdensome would such a delay be for
customers? Are there safety implications for customers who legitimately
need a new SIM? Could such a delay prevent
[[Page 57394]]
the customer from completing 911 calls during the waiting period? What
costs would this requirement impose on carriers, and how long would it
take carriers to develop, test, and implement such a process? Would
such a requirement be anti-competitive? Should we consider other
approaches to customer notifications of SIM transfers?
17. Customer Service, Training, and Transparency. Additionally, we
seek comment on whether we should impose customer service, training,
and/or transparency requirements specifically focused on preventing SIM
swap fraud. For example, should we require carriers to modify customer
record systems so that customer service representatives are unable to
access CPNI until after the customer has been properly authenticated?
Would this approach be effective in preventing customer service
representatives from assisting with authentication through the use of
leading questions or other more nefarious employee involvement in SIM
swap fraud? Would a requirement for record-keeping of the
authentication method used for each customer deter employee involvement
in SIM swapping fraud? Are there ways to avoid employee malfeasance,
such as requiring two employees to sign off on every SIM change? What
burdens would be associated with these possible requirements? Anecdotal
evidence suggests that, in some cases, customer service representatives
are not trained on procedures to deal with customers who have been
victims of SIM swap fraud, and as a result, customers who are already
victims have difficulty getting help from their carriers. To address
this concern, we seek comment on whether we should impose training
requirements for customer service representatives to address SIM swap
fraud attempts, complaints, and remediation. What costs would these
measures impose on carriers? Is there a way to reduce the burdens of
these proposals while still achieving the policy aims? Would these
proposals reduce SIM swap fraud or otherwise impact the customer
experience? How long would it take wireless carriers to implement any
new training requirements? Are there alternative approaches that might
be more effective or efficient?
18. We also seek comment on whether we should require wireless
providers to offer customers the option to disable SIM changes
requested by telephone and/or online access (i.e., account freezes or
locks). We believe that offering these protections would impose minimal
burdens on carriers while offering significant protection to customers.
Do commenters agree? Whether or not we require wireless providers to
offer such services, we also seek comment on whether we should require
carriers to provide a transparent, easy-to-understand, yearly notice to
customers of the availability of any account protection mechanisms the
carrier offers (e.g., SIM transfer freeze, port request freezes, PINs,
etc.). What costs would such notification requirements impose on
carriers? We believe that any customer notifications should be brief,
use easy-to-understand language, and be delivered in a manner that is
least burdensome to customers. We seek comment on what form such
notifications could take and how they could be delivered to customers
to provide meaningful notice of such services while imposing minimal
burden on carriers. Do we need to prescribe a method or methods for
customers to unfreeze or unlock their accounts? What methods would be
sufficiently secure? Would an unfreeze or unlock be immediate or should
there be a waiting period before an unlocked account can be
transferred?
19. Accounts with Multiple Lines. We seek comment on how these
proposed CPNI rule changes impact wireless accounts with multiple
lines, such as shared or family accounts. If we require the customer to
provide a one-time passcode for the carrier to execute a SIM change,
should each line on the shared or family account have its own passcode?
If the account owner elects to freeze the account to protect against
unauthorized changes, how can we ensure that another member of the
shared or family account remains able to port-out his or her number?
Should the freeze option apply only to individual lines and not to
entire accounts? Do our proposed rules impact these types of accounts
with multiple lines in any other ways?
20. Remediation of SIM Swap Fraud. We seek comment on how we can
enable timely resolution of SIM swap fraud to minimize financial and
other damage to customers who are victims of SIM swap fraud. How can we
encourage and/or ensure that carriers quickly resolve complaints in
cases of SIM swap fraud? Should we require carriers to respond to
customers and offer redress within a certain time frame? What would be
the costs to carriers, and what are the costs to customers if we do not
do so? We seek comment on the methods wireless carriers have
established to help victims of SIM swap fraud halt an unauthorized SIM
swap request or to recover their phone numbers from bad actors.
21. Carriers' Duty to Protect CPNI. We also seek comment on
codifying the Commission's expectation that carriers must take
affirmative measures to discover and protect against fraudulent
activity beyond the measures specifically dictated by our rules and
that additional measures (e.g., self-monitoring) are required to comply
with section 222's mandate to protect the confidentiality of customer
information. In the 2007 CPNI Order, the Commission codified the
requirement that carriers take reasonable measures to discover and
protect against unauthorized access to CPNI, and specified that
adoption of the rules in that Order does not relieve carriers of their
fundamental statutory duty to remain vigilant in their protection of
CPNI, nor does it insulate them from enforcement action for
unauthorized disclosure of CPNI. The Commission allowed carriers
flexibility in how they would satisfy their statutory obligations but
expressed an expectation that carriers would take affirmative measures
to discover and protect against fraudulent activities beyond what is
expressly required by the Commission's rules. We seek comment on
whether codifying a requirement to take affirmative measures to
discover and protect against fraudulent activities would lead to more
effective measures to detect and prevent SIM swap fraud. Has the
expectation expressed in 2007 been effective? Would the additional
threat of enforcement of a codified rule create additional incentives
for carriers to take more aggressive action to detect and prevent
fraudulent access to CPNI? We seek comment on whether there are
additional requirements needed to ensure that carriers comply with
their legal obligations under section 222 to detect and prevent SIM
swap fraud.
22. Tracking the Effectiveness of Authentication Measures. We seek
comment on what data carriers collect about SIM swap fraud, and whether
we should require that carriers track data regarding SIM swap
complaints to measure the effectiveness of their customer
authentication and account protection measures. What would be the
burdens of requiring wireless carriers to internally track customer SIM
swap complaints? Do wireless carriers already report this information
to the U.S. Secret Service and Federal Bureau of Investigation (FBI)
pursuant to the Commission's rules? We also seek comment on whether we
should modify our breach reporting rules to require wireless carriers
to report SIM swap and port-out fraud to the Commission, and what the
costs would be to carriers of
[[Page 57395]]
doing so, including the timeframe for implementing such a requirement.
Should we require carriers to inform the Commission of the
authentication measures that they have in place and when those measures
change? Would requiring carriers to update the Commission about changes
to authentication measures, along with the frequency of customer SIM
swap complaints, be sufficient to enable the Commission to evaluate the
efficacy of a carrier's authentication measures, or should the
Commission require carriers to provide additional information? We also
seek comment on how we should ensure carrier compliance with any
proposed obligations that we adopt. For example, should we specifically
direct the Commission's Enforcement Bureau, or another Bureau or
Office, to conduct compliance audits? Are there other audits or models
that we should use as guidelines to ensure compliance? We seek comment
on the best method to enforce our proposals.
23. Applicability of Customer Authentication Measures. We seek
comment on whether any new or revised customer authentication measures
we adopt should apply only to wireless carriers and only with respect
to SIM swap requests, or whether such expanded authentication
requirements would offer benefits for all purposes and with respect to
all providers covered by our CPNI rules. Is there anything unique about
VoLTE service or the upcoming Voice over New Radio (VoNR) that we need
to consider? Further, as the nation's networks migrate from 2G and 3G
to 4G and 5G, are there particular technical features that should be
taken into consideration regarding authentication requirements? Is the
type of phone number takeover that occurs through SIM swap fraud only
relevant to mobile phone numbers (due to SIM swaps and text message-
based text authentication)? Are there also concerns with respect to
account takeovers of interconnected Voice over Internet Protocol (VoIP)
services, one-way VoIP services, and landline telephone services? Even
if the same concerns are not present (or as strongly present), should
we apply any stronger authentication requirements to all providers to
protect customers' privacy and to provide uniform rules across all
providers? If so, under what legal authority could we extend the
proposed authentication requirements to services other than wireless?
Is there value to uniformity with other categories of providers? Would
costs imposed on these carriers outweigh the limited benefit of these
requirements related to non-wireless carriers? Are there any other
rules that would need to be aligned for consistency if we make changes
to the CPNI rules to address SIM swap fraud? In addition, if limited to
wireless providers only, we believe that any new rules we adopt should
apply to all providers of wireless services, including resellers. Do
commenters agree?
24. We also seek comment on whether any new rules should apply only
to certain wireless services, such as pre-paid services. Is SIM swap
fraud limited to, or more prevalent with, pre-paid or post-paid
wireless accounts? Do wireless resellers (many of which offer pre-paid
services) encounter this type of fraud more or less often than
facilities-based carriers? We invite comment on whether some or all
changes discussed here should apply to all mobile accounts or whether
certain changes should be limited to pre-paid or post-paid accounts
only. We note that pre-paid plans generally do not require credit
checks and therefore subscribers to prepaid plans may be more low-
income and economically vulnerable individuals. Would such requirements
impose disproportionate burdens on these customers?
25. We also seek comment on the scope of any changes that we may
make to the CPNI rules to address SIM swap fraud. Specifically, should
any new rules be narrowly tailored to deal only with SIM swap fraud, or
should they be broader to ensure that they cover the evolving state of
fraud on wireless customers? Outside of the account takeover context,
are there benefits to providing expanded authentication requirements
before providing access to CPNI to someone claiming to be a carrier's
customer? We seek comment on whether any heightened authentication
measures required (or prohibited) should apply for access to all CPNI,
or only in cases where SIM change requests are being made.
26. In addition, we seek comment on the impact that our proposed
rules could have on smaller carriers. Would the proposed requirements
impose additional burdens on smaller carriers? Would they face
different costs than larger carriers in implementing the new
requirements, if adopted? Would smaller carriers need more time to
comply with new authentication rules? Do they face other obstacles that
we have not considered here?
27. We believe that we have authority to adopt the proposed rules
discussed in this section pursuant to our authority under sections 4,
201, 222, 303, and 332 of the Act, and we seek comment on this
conclusion. Do we have additional sources of authority on which we may
rely here? To the extent that we have not already done so, we also
solicit input on the relative costs and benefits of our proposals to
amend the CPNI rules to address SIM swap fraud. How many legitimate SIM
swap requests do carriers receive yearly, and what are customers' most
common reasons for requesting a legitimate SIM swap? Is there any
evidence concerning the degree to which authentication measures limit
legitimate SIM swaps, or the degree to which they successfully prevent
fraud? We ask commenters for input on how any of these proposals could
positively or negatively affect the customer experience and whether
they foresee any unintended consequences from the changes we propose
here.
B. Strengthening the Commission's Number Porting Rules To Protect
Consumers
28. We next seek comment on proposals to strengthen our number
porting rules to protect customers from unauthorized ports and port-out
fraud. One reason that number porting can be used to subvert two-factor
authentication may be the relative ease with which carriers fulfill
port order requests from other carriers. We note that though the Act
makes it unlawful for any telecommunications carrier to ``submit or
execute a change in a subscriber's selection of a provider of telephone
exchange service . . . except in accordance with such verification
procedures as the Commission shall prescribe,'' the Commission's
slamming rules implementing this provision do not currently apply to
wireless carriers. As a result, wireless subscribers are not afforded
the same protections as wireline customers when their service is
switched to another carrier without their authorization. The Commission
has, in the past, been concerned that adding ``additional steps for the
customer would also add a layer of frustration and complexity to the
number porting process, with anticompetitive effects.'' While the
Commission remains committed to ``facilitat[ing] greater competition
among telephony providers by allowing customers to respond to price and
service changes . . . , '' we seek comment below on what additional
measures we can adopt to protect customers from port-out fraud.
29. Notification of Wireless Port Requests and Customer
Authentication Processes. We propose to require wireless carriers to
provide notification to customers through text message or other push
notification to the customer's device whenever a port-out request is
[[Page 57396]]
made to ensure that customers may take action in the event of an
unauthorized port request, and seek comment on our proposal. For
example, Verizon sends its customers a text message letting the
customer know that a port-out request has been initiated. When the
request is completed, Verizon will send the customer an email stating
that the port to the new service was successful. AT&T may also ``send
customers a text message to help protect them from illegal porting.
This notification will not prevent or delay the customer's request. It
just adds a simple step to better protect against fraud.'' We believe
that requiring customer notice of port requests could be a minimally
intrusive protective measure that could be automated to minimize delays
while providing significant protections for customers. Do commenters
agree? Do other carriers currently notify their customers of port-out
requests? What would be the costs for carriers to implement such a
requirement, particularly for smaller carriers? How much time would
carriers need to implement such a requirement? Would requiring
notification of port requests to customers harm competition? Is there a
particular method of notification that is most effective? For this and
other potential rules that may require text messages and/or push
notifications, should we define the scope of permissible text messages
or other push notifications and, if so, what definition or definitions
should we use?
30. We also seek comment on whether a port request notification
requirement is sufficient to protect customers from port-out fraud, or
whether we should also require customer verification or acknowledgement
of the text message or push notification through a simple Yes/No
response mechanism. Would a customer port verification requirement
unreasonably hinder the porting process, and could it be used
anticompetitively by carriers? Should we require that customers respond
within a certain amount of time before the carrier can execute the
port? We recognize that some customers may not frequently check their
text messages or push notifications, which could lead to a delay if we
require the customer to verify the port. Should we require carriers to
send follow-up messages to the customer via email or a phone call? What
other processes have wireless carriers adopted to protect customers
from port-out fraud, and have they been effective in reducing port-out
fraud?
31. As discussed above, the National Institute of Standards and
Technology and recent media reports call into question the security of
using text messages for authentication purposes. Is notification and/or
verification of a port request via text message a secure means of
authenticating the validity of a customer's wireless port request?
Should we instead require an automated notification call and
verification response through a voice call or other method, such as
email or carrier app? What methods would ensure that customers who have
voice-and-text-only service, or whose devices are incapable of
accessing a carrier's app or website, are not hindered in their porting
choices? Are there any barriers for smaller carriers implementing any
of these changes to protect customers' accounts from port-out fraud?
32. We seek comment whether we should require customers' existing
wireless carriers to authenticate a customer's wireless port request
through means other than the fields used to validate simple port
requests. Are the benefits of potentially protecting customers from
port-out fraud outweighed by the potential harms to competition from
delaying or impeding customers' valid wireless number port requests? We
seek comment on the processes that wireless carriers, including MVNO
providers, resellers, and smaller carriers, currently use to
authenticate customer port-out requests, and whether those methods are
effective in preventing port-out fraud. According to CTIA, ``[w]ireless
providers are constantly improving internal processes to stay ahead of
. . . bad actors, while protecting the rights of legitimate customers
to transfer their phone number to a new device or wireless provider,''
including ``[s]ending one-time passcodes via text message or email to
the account phone number or the email associated with the account when
changes are requested . . . .'' Verizon will not allow its customers to
transfer their number to a different carrier unless that customer first
requests a Number Transfer Pin. When a Verizon customer requests a port
from its new service provider, the customer must present the Verizon
account number and Number Transfer Pin in order to authenticate the
request. AT&T customers can create a unique passcode that in most cases
the customer is required to provide ``before any significant changes
can be made including porting through another carrier,'' and starting
September 30, 2021, will require customers to request a Number Transfer
PIN to transfer their number to another service provider, which will
replace the account passcode customers currently use. T-Mobile assigns
each of its customer accounts a 6-15 digit PIN that must be provided
whenever an individual requests to port-out the phone number associated
with that account. Have such port-out PINs been effective at protecting
customers from port-out fraud? Have carriers noticed any effect from
adopting port-out PINs or other additional security measures on their
customers' likelihood of switching carriers? Is there any evidence
indicating how security measures affect porting frequency? Should we
require wireless carriers to authenticate customers for wireless port
requests under the same standard as we require carriers to authenticate
customers for SIM change requests, recognizing that in the porting
context, the Act sets forth competing goals of protecting customer
information and promoting competition through local number porting?
What would be the benefits and costs of doing so?
33. We seek comment on any other technical or innovative solutions
for customer authentication for port requests that carriers could
implement to reduce port-out fraud. For example, are there technologies
developed out of the Mobile Authentication task force, a collaboration
among the three major U.S. wireless carriers, that could be easily
implemented into the port authentication process? ZenKey, which was
developed under the auspices of the Mobile Authentication task force,
``collects and shares device and account data with your wireless
carrier . . . [to] easily and more securely authenticate, sign up, and
sign in,'' and ``uses multi-factor authentication, including unique
network signals, to not only verify a user's device but also allow
verification that the user is who they say they are.'' Could carriers
use similar technology to authenticate wireless customer port requests?
What would be the costs of doing so and what are the challenges to
implementation, including customer privacy and consent implications?
What other technologies exist that carriers could use to quickly and
effectively authenticate wireless port requests to reduce port-out
fraud? As the nation's networks migrate from 2G and 3G to 4G and 5G,
are there particular technical features that should be taken into
consideration for protecting customers from port-out fraud?
34. We seek comment on whether we should require all carriers to
implement any of the additional authentication processes for wireless
port requests some providers have already developed and implemented. Is
there value in uniformity? Would it reduce consumer confusion if we
mandate the same authentication requirements on all wireless port-out
requests regardless of
[[Page 57397]]
the providers involved? Would that potential reduction in consumer
confusion outweigh the benefits of enabling carriers to create
innovative procedures to protect against port-out fraud attempts as
they evolve? Would requiring specific additional customer
authentication procedures, as opposed to simply making it clear that
carriers are responsible for preventing port-out fraud, provide a
roadmap to bad actors? Should we instead require carriers to develop
heightened customer authentication procedures like those already
initiated by the three nationwide wireless carriers, but provide
flexibility to the individual carriers to create and employ what works
best for their service? Should we require different authentication
procedures for pre-paid wireless account port-out requests than we do
for post-paid wireless account port-out requests? We also seek comment
on what implementation period the wireless industry would need to
implement any additional validation requirements and processes we
adopt.
35. We seek comment on how additional port authentication
requirements would affect the timing of simple wireless-to-wireless
ports. Would allowing additional authentication procedures cause
unreasonable delay to the wireless porting process or cause harm to
competition? In adopting any additional customer authentication
requirements, we want to ensure that we leave carriers in a position to
innovate and address new problems as they arise. Relatedly, we seek
comment on whether it is necessary to codify a simple wireless-to-
wireless porting interval to ensure that any new port authentication
requirements do not lead to delay in the current porting process. The
wireless industry has voluntarily established an industry standard of
two and one-half hours for simple wireless-to-wireless ports. Should we
codify this interval in our rules?
36. Port-Freeze Offerings. We propose to require all wireless
providers, including resellers, to offer customers the option to place
a ``port-freeze'' on their accounts at no cost to the customer to help
deter port-out fraud. We observe that our rules currently permit local
exchange carriers (LECs) to offer their customers the ability to
``prevent[ ] a change in a subscriber's preferred carrier selection
unless the subscriber gives the carrier from whom the freeze was
requested his or her express consent.'' Should we require wireless
providers to offer a similar option, and would making this option
available to wireless customers deter wireless port-out fraud? Verizon
offers customers the option to lock their number, blocking all port-out
requests unless the account owner turns off the Number Lock feature
through the Verizon mobile app, on Verizon's website, or by calling
customer service. Do other wireless carriers currently offer a similar
feature? Has this feature, and others like it, been successful at
deterring port-out fraud? What costs would offering this feature impose
on carriers? How can we make sure that customers are easily notified of
this feature? Would a one-time notice for existing customers, and
notice at the time service is started, be effective at notifying
customers? How often should carriers provide this notice to customers?
What method would be least burdensome on carriers while also notifying
all customers, including those that do not access their accounts
through online services or carrier apps, of the availability of this
feature? Local exchange carriers who offer their customers the
``preferred carrier freeze'' option must follow specific requirements
regarding the solicitation and imposition of this option. Should we
extend similar requirements to wireless carriers? If we impose these
requirements, would the benefits gained by deterring port-out fraud
outweigh the costs of this measure? What happens when a customer locks
his or her account but is unable to recall the information necessary to
unlock their account? Should there be a back-up authentication method
available? Are there other methods wireless carriers use to prevent
unauthorized port requests that we should consider requiring?
37. Wireless Port Validation Fields. We also propose to codify the
types of information carriers must use to validate simple wireless-to-
wireless port requests. Pursuant to the Commission's 2007 LNP Four
Fields Declaratory Ruling, the wireless industry agreed to use three
fields of customer-provided information--telephone number, account
number, and ZIP code--plus a passcode field (if customer-initiated) to
validate requests for simple wireless-to-wireless ports. We propose to
codify this requirement in our rules for simple wireless-to-wireless
ports, just as we have codified field requirements for simple wireline
and intermodal ports. We preliminarily believe that standardizing the
fields necessary to complete a simple wireless-to-wireless port will
allow for quicker and more efficient porting, and we seek comment on
this view. We propose adopting the existing fields because we are
cognizant that imposing new or different customer-required information
fields could complicate the porting process, from both the carrier and
customer perspectives, and we seek comment on this view. We seek
comment whether codifying the existing fields used for validating
simple wireless ports, in combination with immediate customer
notification of port-requests and the offering and advertisement of
port-freeze options as we propose, would help to protect customers from
port-out fraud. Do such measures appropriately balance the competitive
benefits of rapid porting with protecting customers' accounts from
fraud?
38. Are there additional fields of customer-provided information we
should require for validation of wireless-to-wireless ports to minimize
port-out fraud, while ensuring the continued rapid execution of valid
port-out requests? If we require additional fields of customer-provided
information for only wireless-to-wireless simple ports, will that cause
unnecessary complications for the telecommunications industry as a
whole? Will it impose additional costs on wireless carriers that would
reduce competition in the telecommunications marketplace? We seek
comment on whether requiring carriers to implement changes to the
wireless port validation requirements would significantly impair the
customer's ability to perform a legitimate port-out request. Would
requiring carriers to implement additional customer-provided fields for
wireless port requests stifle the ability of customers to switch
carriers while retaining their phone number or keep customers locked
into contracts with their current service providers? Would customers
still be able to respond to price and service changes in a quick and
efficient manner? Finally, we propose to make clear that any customer
validation requirements apply to both facilities-based wireless
carriers and resellers of wireless service and we seek comment on that
proposal.
39. We seek comment on whether we should require carriers to
implement a customer-initiated passcode field for all wireless number
port requests, or whether it should remain optional. While AT&T,
Verizon, and T-Mobile offer this option, it is unclear if all customers
are required to participate. What would be the burden on customers and
carriers, particularly smaller carriers, were we to mandate passcode
fields for wireless number port requests? Could it harm competition and
cause customer frustration if a customer has either not set up a
passcode or does not know how to set up a passcode? Should we require
carriers to make a customer-
[[Page 57398]]
initiated passcode optional on an opt-out rather than opt-in basis?
What steps could carriers take to make it least burdensome on customers
to establish an account passcode for wireless number porting purposes?
We also seek comment on how we can ensure that a customer can make a
legitimate port request if he forgets his passcode.
40. Remediating Port-Out Fraud. We seek comment on how we can
ensure timely resolution of unauthorized port-out requests to minimize
financial and other damage to customers who are victims of such fraud.
What information do wireless carriers currently collect about port-out
fraud? Are wireless carriers already tracking instances of customer
complaints regarding this issue? Should we require that carriers use
this information to measure the effectiveness of their customer
authentication and account protection measures? How can we encourage
and/or ensure that carriers coordinate and work together to quickly
resolve complaints in cases of port-out fraud? Should we require
carriers to respond to customers who allege they are victims of port-
out fraud and to offer redress to such customers within a certain time
frame? What would be the costs to carriers, and what are the costs to
customers if we do not do so? We seek comment on the methods wireless
carriers have established to help victims of port-out fraud stop an
unauthorized port-out request or to recover their phone numbers from
bad actors.
41. Accounts With Multiple Lines. We seek comment on how the
proposed changes to our LNP rules impact wireless accounts with
multiple lines, such as shared or family accounts. If we require the
customer to provide a one-time passcode for the carrier to execute the
port, should each line on the shared or family account have its own
passcode? If the account owner elects to freeze the account to protect
against unauthorized changes, how can we ensure that another member of
the shared or family account remains able to port-out their number?
Should the port-freeze option apply only to individual lines and not to
entire accounts? Do our proposed rules impact these types of accounts
with multiple lines in any other ways?
42. Role of Administrator. We also seek comment on whether the
Local Number Portability Administrator (LNPA) can play a role in
thwarting port-out fraud by serving as an authorized neutral third-
party to verify customer identification prior to authorizing a port-out
request. The LNPA operates the Number Portability Administration Center
(NPAC), which ``is the system that supports the implementation of LNP
and is used to facilitate number porting in the United States. The
LNPA, through the NPAC, currently works with a customer's new service
provider to create a number port and sends a notification to the old
service provider, once the existing service provider validates and
confirms the subscriber's information. What information regarding port
requests does the NPAC retain? Is there additional information
regarding port requests the NPAC should retain to help prevent port-out
fraud? What records could be helpful if provided to customers who have
been victims of unauthorized port-out fraud? Through what means and
under what conditions, if any, should wireless providers permit their
customers to access NPAC data regarding port requests that pertain to
the customer's telephone number? Are there additional obligations that
we should direct or encourage North American Portability Management,
LLC, which oversees the LNPA contract, to impose on the LNPA to
safeguard against port-out fraud?
43. As discussed above, the Number Portability Industry Forum has
created ``Best Practices'' for porting between and within telephony
carriers. Best Practice 73 (Unauthorized Port Flow) specifically
addresses carrier processes for responding to unauthorized ports,
including fraudulent ports, which are ports ``which occurred as the
result of an intentional act of fraud, theft, and/or
misrepresentation.'' We seek comment on the extent to which wireless
providers have adopted Best Practice 73. If wireless carriers have
adopted Best Practice 73, is it effective in addressing port-out fraud?
Are there changes we can make to the process flow to better protect
customers? If wireless carriers have not implemented Best Practice 73,
we seek comment on other methods they use to investigate potentially
fraudulent ports and how they restore service to the customer. Should
we require mobile carriers to adopt Best Practice 73 to help speed
resolution of fraudulent port complaints? We also seek comment on what
role the North American Numbering Council (NANC) can play in
establishing updated best practices to protect customers from port-out
fraud and in reaching industry consensus.
44. Partial Porting Fraud. We seek comment on whether the proposals
on which we seek comment above would also be effective against partial
porting fraud, where the bad actor changes the consumer's carrier for
delivery of SMS messages without changing their primary carrier. Would
our proposed customer notification and authentication rule prevent
routing of SMS messages through an alternate provider without customer
notification? Would a port freeze prevent changing the delivery
provider and destination of SMS messages? If not, what changes to the
proposed rules would be required to ensure they also apply to partial
porting fraud? What additional measures would be necessary to prevent
partial porting fraud in addition to the fraud that may occur when a
wireless provider completely ports a consumer's mobile service?
45. Impact on Smaller Carriers. We seek comment on the impact the
LNP rule changes that we discuss above could have on smaller carriers.
Would these new requirements impose undue burdens on smaller carriers?
Would smaller carriers face different costs from larger carriers in
implementing the new requirements, if adopted? Would smaller carriers
need more time to comply with revised number porting rules? Do they
face other obstacles that we have not considered here?
46. Legal Authority. Finally, we seek comment on our legal
authority to adopt the possible rules discussed in this section. We
propose to rely on authority derived from sections 4, 201, 251(b)(2),
251(e), 303, and 332 of the Act to implement the proposed changes to
our number porting rules to address port-out fraud, and seek comment on
our proposal. Are there additional sources of authority on which the
Commission can rely to implement these proposals? Should we extend any
of the LNP rules on which we seek comment to any entities other than
wireless carriers, such as landline carriers or VoIP providers? If so,
we propose concluding that we have authority to do so pursuant to
section 251(e), and we seek comment on this view. We also seek comment
on whether we should update the references to ``CMRS'' in the
Commission's number porting rules to reflect evolving technology.
Finally, we solicit input on the relative costs and benefits of our
proposals to amend the LNP rules to address port-out fraud.
C. Additional Consumer Protection Measures
47. Finally, we seek comment on any additional rules that would
help protect customers from SIM swap or port-out fraud or assist them
with resolving problems resulting from such incidents. We are aware
that customers sometimes need documentation of the fraud incident to
provide to law enforcement, financial institutions, or others to
resolve financial fraud or other harms of the incident. A SIM swap or
port-out
[[Page 57399]]
fraud victim may have difficulty obtaining such documentation from the
carrier because the carrier may not have processes in place to produce
such documentation. To provide support for customers who have become
victims, we seek comment on requiring wireless carriers to provide to
customers (upon request) documentation of SIM swap or port-out fraud on
accounts that the customer may then provide to law enforcement,
financial institutions, or others. We seek comment on what information
should be included in the documentation provided by carriers. We also
seek comment on the potential benefits and projected costs of this
proposal, including on smaller providers. Further, we invite input on
how the proposed rule would affect the customer experience, either
positively or negatively.
48. Next, we seek comment on other measures we can adopt to ensure
that customers have easy access to information they need to report SIM
swap, port-out, or other fraud. As discussed above, we believe that
customer service representatives should be trained on how to assist
customers who have been victims of SIM swap or port-out fraud, and
carriers should have procedures in place for a response. Identity
theft, including SIM swap fraud, can cause intense anxiety for victims
and must be addressed in a timely manner to prevent financial losses
and exposure of personal information. Thus, in addition to providing
documentation, we believe that it should be easy for a customer to get
access to appropriate carrier resources that can help mitigate the
significant harms caused by SIM swap or port-out fraud. As such, we
seek comment on whether we should adopt rules addressing how wireless
carriers deal with customers once they have become victims of SIM
swapping and port-out fraud. What procedures do carriers have in place
to assist customers in these circumstances and are these procedures
effective? What additional steps can carriers take to recover the
account and stop the ongoing fraudulent activity? How can carriers
ensure that customers have easy access to the information they need to
report SIM swap fraud? Should we require wireless carriers to establish
a dedicated point or method of contact that is easily accessible by
customers and is made available on the carrier's website so that
customers can get timely assistance from their carriers? Or, given the
time-sensitive nature of most fraud, would it make sense to require
carriers to have a dedicated and publicized fraud hotline that
customers can call directly in the case of suspected fraud? What costs
would such a requirement impose on carriers, and how long would it take
for carriers to implement? Are any of the Commission's existing rules
obstacles to helping customers recover following a SIM swap or port-out
fraud incident?
49. We seek comment on whether there are other customer protections
we could adopt to address the problems associated with SIM swap and
port-out fraud. For example, should the Commission require wireless
carriers to enable ``fraud alerts'' on accounts and publicize these
services to customers? Such fraud alerts could trigger additional
protections when changes are requested on the accounts. Would such a
requirement be effective at deterring SIM swap and port-out fraud?
Would it have any unintended consequences for customers? What would
such a requirement cost? Are there any other consumer protections that
would be effective in combatting SIM swap and port-out fraud and, if
so, how would they operate? What would be their relative costs and
benefits? For example, we understand that in other countries, carriers
and financial institutions share information about SIM transfers to
limit damages to consumers resulting from incidents of SIM swap fraud.
As discussed above, section 222 strictly limits carriers' ability to
share a customer's CPNI without the customer's consent. Can we, and
should we, encourage carriers to establish a mechanism based on express
customer consent that would enable a financial institution to determine
whether a SIM transfer had been recently completed to help protect
customers from the financial harms of SIM swap and port-out fraud? If
so, should we require or encourage carriers to ask for customer
permission upon set up of accounts (and to send out one-time notice to
all existing customers asking if they want to permit this)? Should such
a rule require retention of the record of this permission for some
designated period of time? Should carriers be permitted to charge a fee
for this service either to the wireless customer or to the financial
institution? Are there other types of institutions that might need
access to the same type of information to prevent fraud? Should our
rules expressly permit or prohibit this type of service? What are the
potential risks and benefits to consumers? We seek comment on how we
can ensure that customers are able to take advantage of third-party
fraud services to protect against SIM swap and port-out fraud.
50. We tentatively conclude that our broad Title III authority
would support imposing additional consumer protection obligations such
as those discussed in this section on wireless carriers. We also seek
comment on whether authority derived from sections 4, 201, 222, 251,
303, and 332 would support such additional consumer protection
measures. Should we extend any new consumer protection requirements to
interconnected VoIP services, one-way VoIP services, or landline
services? If so, pursuant to what legal authority would the Commission
adopt such rules? We invite commenters to discuss the relative costs
and benefits of these proposals and any foreseeable unintended
consequences of the measures we discuss.
51. We seek comment on whether there are standards-setting bodies,
industry organizations, or consumer groups that could evaluate this
issue to augment our understanding and present possible solutions. For
example, could the Alliance for Telecommunications Industry Solutions
(ATIS) provide technical expertise that would be useful in determining
the best course of action by the Commission to protect customers from
SIM swap or port-out fraud? Could relevant trade associations work to
develop industry consensus solutions to the problem?
52. Digital Equity and Inclusion. Finally, the Commission, as part
of its continuing effort to advance digital equity for all, including
people of color, persons with disabilities, persons who live in rural
or Tribal areas, and others who are or have been historically
underserved, marginalized, or adversely affected by persistent poverty
or inequality, invites comment on any equity-related considerations and
benefits (if any) that may be associated with the proposals and issues
discussed herein. Specifically, we seek comment on how our proposals
may promote or inhibit advances in diversity, equity, inclusion, and
accessibility, as well the scope of the Commission's relevant legal
authority. The term ``equity'' is used here consistent with Executive
Order 13985 as the consistent and systematic fair, just, and impartial
treatment of all individuals, including individuals who belong to
underserved communities that have been denied such treatment, such as
Black, Latino, and Indigenous and Native American persons, Asian
Americans and Pacific Islanders and other persons of color; members of
religious minorities; lesbian, gay, bisexual, transgender, and queer
(LGBTQ+) persons; persons with disabilities; persons who live in rural
[[Page 57400]]
areas; and persons otherwise adversely affected by persistent poverty
or inequality. See Exec. Order No. 13985, 86 FR 7009, Executive Order
on Advancing Racial Equity and Support for Underserved Communities
Through the Federal Government (January 20, 2021).
II. Initial Regulatory Flexibility Analysis
53. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), the Commission has prepared this Initial Regulatory
Flexibility Analysis (IRFA) of the possible significant economic impact
on a substantial number of small entities by the policies and rules
proposed in the Notice of Proposed Rulemaking (NPRM). Written comments
are requested on this IRFA. Comments must be identified as responses to
the IRFA and must be filed by the deadlines for comments on the NPRM
provided on the first page of the item. The Commission will send a copy
of the NPRM, including this IRFA, to the Chief Counsel for Advocacy of
the Small Business Administration (SBA). In addition, the NPRM and IRFA
(or summaries thereof) will be published in the Federal Register.
A. Need For, and Objectives of, the Proposed Rules
54. This item focuses developing protections to address SIM
swapping and port-out fraud. In SIM swapping, the bad actor targets a
consumer's subscriber identity module (SIM) and convinces the victim's
wireless carrier to transfer the victim's service from the original
device (and that device's SIM) to a cell phone in the bad actor's
possession. A consumer's wireless phone number is associated with the
SIM in that consumer's cell phone; by ``swapping'' the SIM associated
with a phone number, the bad actor can take control of a consumer's
cell phone account. In ``port-out fraud,'' the bad actor, posing as the
victim, opens an account with a carrier other than the victim's current
carrier. The bad actor then arranges for the victim's phone number to
be transferred to (or ``ported out'') to the account with the new
carrier controlled by the bad actor.
55. We have received numerous consumer complaints from people who
have suffered significant distress, inconvenience, and financial harm
as a result of SIM swapping and port-out fraud. Today, we take aim at
these scams, with the goal of foreclosing these opportunistic ways in
which bad actors take over consumers' cell phone accounts. Section 222
of the Communications Act of 1934, as amended (the ``Act''), and our
Customer Proprietary Network Information (CPNI) rules, which govern the
use, disclosure, and protection of sensitive customer information to
which a telecommunications carrier has access, require carriers to take
reasonable measures to discover and protect against attempts to gain
unauthorized access to customers' private information. Our Local Number
Portability (LNP) rules govern the porting of telephone numbers from
one carrier to another. Yet, it appears that neither our CPNI rules nor
our LNP rules are adequately protecting consumers against SIM swap and
port-out fraud. We, therefore, propose to amend our CPNI and LNP rules
to require carriers to adopt secure methods of authenticating a
customer before redirecting a customer's phone number to a new device
or carrier. We also propose to require providers to immediately notify
customers whenever a SIM change or port request is made on customers'
accounts, and we seek comment on other ways to protect consumers from
SIM swapping and port-out fraud.
B. Legal Basis
56. The legal basis for any action that may be taken pursuant to
this NPRM is contained in sections 1, 4(i), 4(j), 201, 222, 251,
303(r), and 332 of the Communications Act of 1934, as amended, 47
U.S.C. 151, 154, 201, 222, 251, 303(r), 332.
C. Description and Estimate of the Number of Small Entities to Which
the Proposed Rules Will Apply
57. The RFA directs agencies to provide a description of, and,
where feasible, an estimate of the number of small entities that may be
affected by the proposed rules and policies, if adopted. The RFA
generally defines the term ``small entity'' as having the same meaning
as the terms ``small business,'' ``small organization,'' and ``small
governmental jurisdiction.'' In addition, the term ``small business''
has the same meaning as the term ``small business concern'' under the
Small Business Act. A ``small business concern'' is one which: (1) Is
independently owned and operated; (2) is not dominant in its field of
operation; and (3) satisfies any additional criteria established by the
SBA.
58. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. Our actions, over time, may affect small entities that
are not easily categorized at present. We therefore describe here, at
the outset, three broad groups of small entities that could be directly
affected herein. First, while there are industry specific size
standards for small businesses that are used in the regulatory
flexibility analysis, according to data from the Small Business
Administration's (SBA) Office of Advocacy, in general a small business
is an independent business having fewer than 500 employees. These types
of small businesses represent 99.9 percent of all businesses in the
United States, which translates to 30.7 million businesses.
59. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2018, there were
approximately 571,709 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
60. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments indicate that there
were 90,075 local governmental jurisdictions consisting of general
purpose governments and special purpose governments in the United
States. Of this number there were 36,931 general purpose governments
(county, municipal and town or township) with populations of less than
50,000 and 12,040 special purpose governments--independent school
districts with enrollment populations of less than 50,000.
1. Providers of Telecommunications and Other Services
61. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as ``establishments primarily engaged in
operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of
voice, data, text, sound, and video using wired communications
networks. Transmission facilities may be based on a single technology
or a combination of technologies. Establishments in this industry use
the wired telecommunications network facilities that they operate to
provide a variety of services, such as wired telephony
[[Page 57401]]
services, including VoIP services, wired (cable) audio and video
programming distribution, and wired broadband internet services. By
exception, establishments providing satellite television distribution
services using facilities and infrastructure that they operate are
included in this industry.'' The SBA has developed a small business
size standard for Wired Telecommunications Carriers, which consists of
all such companies having 1,500 or fewer employees. U.S. Census Bureau
data for 2012 show that there were 3,117 firms that operated that year.
Of this total, 3,083 operated with fewer than 1,000 employees. Thus,
under this size standard, the majority of firms in this industry can be
considered small.
62. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses specifically
applicable to local exchange services. The closest applicable NAICS
Code category is Wired Telecommunications Carriers. Under the
applicable SBA size standard, such a business is small if it has 1,500
or fewer employees. U.S. Census Bureau data for 2012 show that there
were 3,117 firms that operated for the entire year. Of that total,
3,083 operated with fewer than 1,000 employees. Thus under this
category and the associated size standard, the Commission estimates
that the majority of local exchange carriers are small entities.
63. Incumbent Local Exchange Carriers (LECs). Neither the
Commission nor the SBA has developed a small business size standard
specifically for incumbent local exchange services. The closest
applicable NAICS Code category is Wired Telecommunications Carriers.
Under the applicable SBA size standard, such a business is small if it
has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate
that 3,117 firms operated the entire year. Of this total, 3,083
operated with fewer than 1,000 employees. Consequently, the Commission
estimates that most providers of incumbent local exchange service are
small businesses that may be affected by our actions. According to
Commission data, one thousand three hundred and seven (1,307) Incumbent
Local Exchange Carriers reported that they were incumbent local
exchange service providers. Of this total, an estimated 1,006 have
1,500 or fewer employees. Thus, using the SBA's size standard the
majority of incumbent LECs can be considered small entities.
64. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA has developed a small business size standard specifically for
Interexchange Carriers. The closest applicable NAICS Code category is
Wired Telecommunications Carriers. The applicable size standard under
SBA rules is that such a business is small if it has 1,500 or fewer
employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms
operated for the entire year. Of that number, 3,083 operated with fewer
than 1,000 employees. According to internally developed Commission
data, 359 companies reported that their primary telecommunications
service activity was the provision of interexchange services. Of this
total, an estimated 317 have 1,500 or fewer employees. Consequently,
the Commission estimates that the majority of interexchange service
providers are small entities.
65. Competitive Local Exchange Carriers (Competitive LECs).
Competitive Access Providers (CAPs), Shared-Tenant Service Providers,
and Other Local Service Providers. Neither the Commission nor the SBA
has developed a small business size standard specifically for these
service providers. The appropriate NAICS Code category is Wired
Telecommunications Carriers and under that size standard, such a
business is small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2012 indicate that 3,117 firms operated during that
year. Of that number, 3,083 operated with fewer than 1,000 employees.
Based on these data, the Commission concludes that the majority of
Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other
Local Service Providers, are small entities. According to Commission
data, 1,442 carriers reported that they were engaged in the provision
of either competitive local exchange services or competitive access
provider services. Of these 1,442 carriers, an estimated 1,256 have
1,500 or fewer employees. In addition, 17 carriers have reported that
they are Shared-Tenant Service Providers, and all 17 are estimated to
have 1,500 or fewer employees. Also, 72 carriers have reported that
they are Other Local Service Providers. Of this total, 70 have 1,500 or
fewer employees. Consequently, based on internally researched FCC data,
the Commission estimates that most providers of competitive local
exchange service, competitive access providers, Shared-Tenant Service
Providers, and Other Local Service Providers are small entities.
66. Local Resellers. The SBA has not developed a small business
size standard specifically for Local Resellers. The closest NAICS Code
Category is Telecommunications Resellers. The Telecommunications
Resellers industry comprises establishments engaged in purchasing
access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. MVNOs
are included in this industry. The SBA has developed a small business
size standard for the category of Telecommunications Resellers. Under
that size standard, such a business is small if it has 1,500 or fewer
employees. 2012 U.S. Census Bureau data show that 1,341 firms provided
resale services during that year. Of that number, 1,341 operated with
fewer than 1,000 employees. Thus, under this category and the
associated small business size standard, the majority of these
resellers can be considered small entities. According to Commission
data, 881 carriers have reported that they are engaged in the provision
of toll resale services. Of this total, an estimated 857 have 1,500 or
fewer employees. Consequently, the Commission estimates that the
majority of local resellers are small entities.
67. Toll Resellers. The Commission has not developed a definition
for Toll Resellers. The closest NAICS Code Category is
Telecommunications Resellers. The Telecommunications Resellers industry
comprises establishments engaged in purchasing access and network
capacity from owners and operators of telecommunications networks and
reselling wired and wireless telecommunications services (except
satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. MVNOs are included in this industry. The
SBA has developed a small business size standard for the category of
Telecommunications Resellers. Under that size standard, such a business
is small if it has 1,500 or fewer employees. 2012 U.S. Census Bureau
data show that 1,341 firms provided resale services during that year.
Of that number, 1,341 operated with fewer than 1,000 employees. Thus,
under this category and the associated small business size standard,
the majority of these resellers can be considered small entities.
According to Commission data, 881 carriers have reported that they are
engaged in the provision of toll resale services. Of this total, an
estimated 857 have 1,500 or fewer employees. Consequently, the
[[Page 57402]]
Commission estimates that the majority of toll resellers are small
entities.
68. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
appropriate size standard under SBA rules is that such a business is
small if it has 1,500 or fewer employees. For this industry, U.S.
Census Bureau data for 2012 show that there were 967 firms that
operated for the entire year. Of this total, 955 firms employed fewer
than 1,000 employees and 12 firms employed of 1000 employees or more.
Thus under this category and the associated size standard, the
Commission estimates that the majority of Wireless Telecommunications
Carriers (except Satellite) are small entities.
69. The Commission's own data--available in its Universal Licensing
System--indicate that, as of August 31, 2018 there are 265 Cellular
licensees that will be affected by our actions. The Commission does not
know how many of these licensees are small, as the Commission does not
collect that information for these types of entities. Similarly,
according to internally developed Commission data, 413 carriers
reported that they were engaged in the provision of wireless telephony,
including cellular service, Personal Communications Service (PCS), and
Specialized Mobile Radio (SMR) Telephony services. Of this total, an
estimated 261 have 1,500 or fewer employees, and 152 have more than
1,500 employees. Thus, using available data, we estimate that the
majority of wireless firms can be considered small.
70. Satellite Telecommunications. This category comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The category has a small business size standard of
$35 million or less in average annual receipts, under SBA rules. For
this category, U.S. Census Bureau data for 2012 show that there were a
total of 333 firms that operated for the entire year. Of this total,
299 firms had annual receipts of less than $25 million. Consequently,
we estimate that the majority of satellite telecommunications providers
are small entities.
71. All Other Telecommunications. The ``All Other
Telecommunications'' category is comprised of establishments primarily
engaged in providing specialized telecommunications services, such as
satellite tracking, communications telemetry, and radar station
operation. This industry also includes establishments primarily engaged
in providing satellite terminal stations and associated facilities
connected with one or more terrestrial systems and capable of
transmitting telecommunications to, and receiving telecommunications
from, satellite systems. Establishments providing internet services or
voice over internet protocol (VoIP) services via client-supplied
telecommunications connections are also included in this industry. The
SBA has developed a small business size standard for ``All Other
Telecommunications,'' which consists of all such firms with annual
receipts of $35 million or less. For this category, U.S. Census Bureau
data for 2012 show that there were 1,442 firms that operated for the
entire year. Of those firms, a total of 1,400 had annual receipts less
than $25 million and 15 firms had annual receipts of $25 million to
$49,999,999. Thus, the Commission estimates that the majority of ``All
Other Telecommunications'' firms potentially affected by our action can
be considered small.
2. Internet Service Providers
72. internet Service Providers (Broadband). Broadband internet
service providers include wired (e.g., cable, DSL) and VoIP service
providers using their own operated wired telecommunications
infrastructure fall in the category of Wired Telecommunication
Carriers. Wired Telecommunications Carriers are comprised of
establishments primarily engaged in operating and/or providing access
to transmission facilities and infrastructure that they own and/or
lease for the transmission of voice, data, text, sound, and video using
wired telecommunications networks. Transmission facilities may be based
on a single technology or a combination of technologies. The SBA size
standard for this category classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2012 show that
there were 3,117 firms that operated that year. Of this total, 3,083
operated with fewer than 1,000 employees. Consequently, under this size
standard the majority of firms in this industry can be considered
small.
D. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
73. In this NPRM, we propose to prohibit wireless carriers from
effectuating a SIM swap unless the carrier uses a secure method of
authenticating its customer. We also propose to amend our CPNI rules to
require wireless carriers to develop procedures for responding to
failed authentication attempts and to notify customers immediately of
any requests for SIM changes. We also seek comment on whether we should
impose customer service, training, and transparency requirements
specifically focused on preventing SIM swap fraud. We likewise propose
to amend our number porting rules to combat port-out fraud while
continuing to encourage robust competition through efficient number
porting. Specifically, the Commission also proposes to amend the LNP
rules to require carriers to send customers a text message or push
notification whenever a porting request is made; to require carriers to
allow customers the option to freeze their accounts to prevent any
unauthorized port-out requests; and to codify the data fields wireless
carriers must use to validate a port request. Finally, we also seek
comment whether we should adopt any other changes to our rules to
address SIM swap and port-out fraud, including the difficulties
encountered by victims of these schemes.
74. Should the Commission decide to modify existing rules or adopt
new rules to protect customers from SIM swap or porting-out fraud, such
action could potentially result in increased, reduced, or otherwise
modified recordkeeping, reporting, or other compliance requirements for
affected providers of service. We seek comment on the effect of any
proposals on small entities. Entities, especially small businesses, are
encouraged to quantify the costs and benefits of any reporting,
recordkeeping, or compliance requirement that may be established in
this proceeding.
E. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
75. The RFA requires an agency to describe any significant,
specifically small business, alternatives that it has considered in
reaching its proposed approach, which may include the following four
alternatives (among others): ``(1) the establishment of differing
compliance or reporting
[[Page 57403]]
requirements or timetables that take into account the resources
available to small entities; (2) the clarification, consolidation, or
simplification of compliance and reporting requirements under the rule
for such small entities; (3) the use of performance rather than design
standards; and (4) an exemption from coverage of the rule, or any part
thereof, for such small entities.''
76. In this NPRM, we seek comment whether the Commission should
modify its CPNI or LNP rules to protect customers from SIM swap and
port-out fraud, and, if so, whether our proposals would be effective to
do so. In this NPRM, we seek comment on the impact that any proposed
rules could have on smaller carriers. We also seek comment on the
benefits and burdens, especially the burdens on small entities, of
adopting any new or revised rules regarding the customer authentication
and porting process. Specifically, we seek comment whether the proposed
requirements would impose additional burdens on smaller carriers;
whether smaller carriers would face different costs than larger
carriers in implementing the new requirements, if adopted; whether
smaller carriers would need more time to comply with any new or
modified authentication or port-out rules; and whether smaller
providers face other obstacles that we have not considered here. The
Commission expects to consider the economic impact on small entities,
as identified in comments filed in response to the NPRM, in reaching
its final conclusions and taking action in this proceeding.
F. Federal Rules That May Duplicate, Overlap, or Conflict With the
Proposed Rules
77. None.
III. Procedural Matters
78. Ex Parte Rules. This proceeding shall be treated as a ``permit-
but-disclose'' proceeding in accordance with the Commission's ex parte
rules. Persons making ex parte presentations must file a copy of any
written presentation or a memorandum summarizing any oral presentation
within two business days after the presentation (unless a different
deadline applicable to the Sunshine period applies). Persons making
oral ex parte presentations are reminded that memoranda summarizing the
presentation must (1) list all persons attending or otherwise
participating in the meeting at which the ex parte presentation was
made, and (2) summarize all data presented and arguments made during
the presentation. If the presentation consisted in whole or in part of
the presentation of data or arguments already reflected in the
presenter's written comments, memoranda or other filings in the
proceeding, the presenter may provide citations to such data or
arguments in his or her prior comments, memoranda, or other filings
(specifying the relevant page and/or paragraph numbers where such data
or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with Rule 1.1206(b). In proceedings governed by
Rule 1.49(f) or for which the Commission has made available a method of
electronic filing, written ex parte presentations and memoranda
summarizing oral ex parte presentations, and all attachments thereto,
must be filed through the electronic comment filing system available
for that proceeding, and must be filed in their native format (e.g.,
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding
should familiarize themselves with the Commission's ex parte rules.
79. Initial Regulatory Flexibility Analysis. Pursuant to the
Regulatory Flexibility Act (RFA), the Commission has prepared an
Initial Regulatory Flexibility Analysis (IRFA) of the possible
significant economic impact on small entities of the policies and
actions considered in this NPRM. Written public comments are requested
on this IRFA. Comments must be identified as responses to the IRFA and
must be filed by the deadlines for comments on the NPRM. The
Commission's Consumer and Governmental Affairs Bureau, Reference
Information Center, will send a copy of the NPRM, including the IRFA,
to the Chief Counsel for Advocacy of the Small Business Administration.
80. Paperwork Reduction Act of 1995 Analysis. This document
contains proposed new or modified information collection requirements.
The Commission, as part of its continuing effort to reduce paperwork
burdens, invites the general public and the Office of Management and
Budget (OMB) to comment on the information collection requirements
contained in this document, as required by the Paperwork Reduction Act
of 1995, Public Law 104-13. In addition, pursuant to the Small Business
Paperwork Relief Act of 2002, Public Law 107-198, we seek specific
comment on how we might further reduce the information collection
burden for small business concerns with fewer than 25 employees.
IV. Ordering Clauses
81. Accordingly, it is ordered that, pursuant to the authority
contained in sections 1, 4, 201, 222, 251, 303(r), and 332 of the
Communications Act of 1934, as amended, 47 U.S.C. 151, 154, 201, 222,
251, 303(r), and 332, this Notice of Proposed Rulemaking in WC Docket
No. 21-341 is adopted.
82. It is further ordered that the Commission's Consumer and
Governmental Affairs Bureau, Reference Information Center, shall send a
copy of this Notice of Proposed Rulemaking, including the Initial
Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of
the Small Business Administration.
List of Subjects in 47 CFR Parts 52 and 64
Communications, Communications common carrier, Individuals with
disabilities, Reporting and recordkeeping requirements,
Telecommunications, Telephone.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Proposed Rules
For the reasons discussed in the preamble, the Federal
Communications Commission proposes to amend 47 CFR parts 52 and 64 as
follows:
PART 52--NUMBERING
0
1. The authority citation for part 52 continues to read as follows:
Authority: 47 U.S.C. 151, 152, 153, 154, 155, 201-205, 207-209,
218, 225-227, 251-252, 271, 303, 332, unless otherwise noted.
0
2. Add Sec. 52.37 to subpart C to read as follows:
Sec. 52.37 Number Portability Requirements for Wireless Providers.
(a) A wireless provider, including a reseller of wireless service,
may only require the data described in paragraphs (b) and (c) of this
section to accomplish a simple wireless-to-wireless port order request
from an end user customer's new wireless provider.
(b) Required standard data fields.
(1) Ported telephone number;
(2) Account number;
(3) Zip code;
(c) Optional standard data field. A Passcode field shall be
optional unless the passcode has been requested and assigned by the end
user, in which case it is required.
(d) Notification required after port request. A wireless provider,
including a reseller of wireless service, shall notify an end user
customer that a port request
[[Page 57404]]
has been received for the customer's account before executing a simple
wireless-to-wireless port request. A wireless provider shall provide
this notification to the end-user customer via text message to the
telephone number of record for the customer's account or via push
notification.
(e) Account freezes. A wireless provider, including a reseller of
wireless service, shall offer customers the option to lock their
accounts to prohibit unauthorized port requests. If the customer
chooses to lock the customer's account, the wireless provider shall not
fulfill a simple wireless-to-wireless port order request until the
customer deactivates the lock on the account.
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
0
3. The authority citation for part 64 continues to read as follows:
Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220,
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276,
403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub.
L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.
0
4. Amend Sec. 64.2010 by:
0
a. Revising paragraphs (b) and (c),
0
b. Redesignating paragraphs (e) through (g) as paragraphs (g) through
(i),
0
c. Revising newly redesignated paragraphs (g) and (h), and
0
d. Adding new paragraphs (e) and (f).
The revisions and addition read as follows:
Sec. 64.2010 Safeguards on the disclosure of customer proprietary
network information.
* * * * *
(b) Telephone access to CPNI. Telecommunications carriers may only
disclose call detail information over the telephone, based on customer-
initiated telephone contact, if the customer first provides the carrier
with a password, as described in paragraph (g) of this section, that is
not prompted by the carrier asking for readily available biographical
information or account information. If the customer does not provide a
password, the telecommunications carrier may only disclose call detail
information by sending it to the customer's address of record, or by
calling the customer at the telephone number of record. If the customer
is able to provide call detail information to the telecommunications
carrier during a customer-initiated call without the telecommunications
carrier's assistance, then the telecommunications carrier is permitted
to discuss the call detail information provided by the customer.
(c) Online access to CPNI. A telecommunications carrier must
authenticate a customer without the use of readily available
biographical information, account information, recent payment
information, or call detail information, prior to allowing the customer
online access to CPNI related to a telecommunications service account.
Once authenticated, the customer may only obtain online access to CPNI
related to a telecommunications service account through a password, as
described in paragraph (g) of this section, that is not prompted by the
carrier asking for readily available biographical information, account
information, recent payment information, or call detail information.
* * * * *
(e) Subscriber Identity Module (SIM) changes. Telecommunications
carriers shall not effectuate a SIM change unless the carrier uses a
secure method of authenticating its customer. For purposes of this
paragraph, the following shall be considered secure methods of
authenticating a customer: (1) Use of a pre-established password; (2) a
one-time passcode sent via text message to the account phone number or
a pre-registered backup number; (3) a one-time passcode sent via email
to the email address associated with the account; or (4) a one-time
passcode sent using a voice call to the account phone number or a pre-
registered backup number. These methods shall not be considered
exhaustive and an alternative customer authentication measure used by a
carrier must be a secure method of authentication. For purposes of this
section, SIM means a physical or virtual card contained with a device
that stores unique information that can be identified to a specific
mobile network.
(f) Procedures for failed authentication for SIM changes. Wireless
carriers shall develop, maintain, and implement procedures for
responding to multiple failed authentication attempts.
(g) Establishment of a password and back-up authentication methods
for lost or forgotten passwords. To establish a password, a
telecommunications carrier must authenticate the customer without the
use of readily available biographical information, account information,
recent payment information, or call detail information.
Telecommunications carriers may create a back-up customer
authentication method in the event of a lost or forgotten password, but
such back-up customer authentication method may not prompt the customer
for readily available biographical information, account information,
recent payment information, or call detail information. If a customer
cannot provide the correct password or the correct response for the
back-up customer authentication method, the customer must establish a
new password as described in this paragraph.
(h) Notification of account changes. Telecommunications carriers
must notify customers immediately whenever a password, customer
response to a back-up means of authentication for lost or forgotten
passwords, online account, or address of record is created or changed.
This notification is not required when the customer initiates service,
including the selection of a password at service initiation. This
notification may be through a carrier-originated voicemail or text
message to the telephone number of record, or by mail to the address of
record, and must not reveal the changed information or be sent to the
new account information. Telecommunications carriers shall notify
customers immediately of any requests for SIM changes through means
that effectively alert customers in a timely manner.
(i) Business customer exemption. Telecommunications carriers may
bind themselves contractually to authentication regimes other than
those described in this section for services they provide to their
business customers that have both a dedicated account representative
and a contract that specifically addresses the carriers' protection of
CPNI.
[FR Doc. 2021-22099 Filed 10-14-21; 8:45 am]
BILLING CODE 6712-01-P