In today’s interconnected telecom landscape, most VoIP operators’ compliance concerns with FCC regulations focus primarily on what happens to calls after they enter their network, including STIR/SHAKEN authentication, call blocking obligations, and traceback participation. In contrast, the rulemaking proposed in April 2026 addresses the information gathered about your client prior to the initiation of their first call. 

On April 30, 2026, the FCC adopted a Further Notice of Proposed Rulemaking (FNPRM) on Know-Your-Customer (KYC) requirements for originating voice service providers. Interconnected VoIP providers are explicitly named. This is not a clarification of existing rules. It is a structural expansion of what ‘knowing your customer’ means in practice, with per-call penalty proposals that change the compliance math for any operator running significant call volume. 

If you run a VoIP business: ITSP, wholesale carrier, SIP trunking provider, or regional telecom operator, this rulemaking is worth understanding now, before the comment period closes and rules move toward finalization. 

What Is the FCC’s April 2026 KYC Rulemaking?  

The FNPRM, under CG Docket Nos. 17-59 and 02-278 (titled “Advanced Methods to Target and Eliminate Unlawful Robocalls”), aims to clarify the FCC’s existing KYC rules. These rules require providers to take “affirmative, effective” steps to know their customers and what that means operationally. 

The current rule is deliberately vague. It demands results without specifying steps. The April 2026 FNPRM fixes this by detailing what customer information providers must collect, how to verify it, retention periods, and consequences for noncompliance. 

This rulemaking differs from the 2025 call blocking order, which covers handling illegal calls already in the network. Instead, this FNPRM targets customer onboarding before any calls starts and places compliance responsibility on the operator granting network access. 

Who Does This Apply To? 

The FNPRM applies to traditional wireline carriers, commercial mobile radio service (CMRS) providers, and interconnected VoIP service providers. There is no VoIP exemption. Any provider that originates calls over an IP network in the United States is in scope.  

This matters because a common assumption in the VoIP ecosystem is that FCC compliance frameworks mainly target the legacy carriers. The April 2026 FNPRM makes no such distinction. Originating VoIP providers face the same onboarding and verification obligations and the same enforcement exposure as wireline carriers.  

The regulatory pressure makes sense given the scale of the problem. Robocall volume in the US reached 29.6 billion unwanted calls in 2025, a 15.6% increase from 2024 and the highest level in four years, according to YouMail data cited by U.S. PIRG. The FTC received more than 2.6 million Do Not Call complaints in fiscal year 2025. The FCC believes bad actors gain network access through providers with weak customer screening, and VoIP networks remain a primary entry point. 

Five Operational Requirements the FCC Is Proposing 

The FNPRM covers five distinct compliance areas. Each one has direct operational implications for how VoIP operators onboard and manage customers. 

1. Customer IdentificationThe Baseline for Every Account 

The FNPRM sets baseline requirements for all new and renewing customers. Providers must collect: 

  • Full legal name 
  • Physical address (no P.O. boxes, virtual offices, mail forwarding, or shared offices without dedicated suites) 
  • Government-issued ID number 
  • Alternate phone number 

The ‘renewing customer’ definition is deliberately broad. The FCC seeks input on treating plan switches or auto-renewals as new customers, requiring re-verification. For operators managing large customer bases, re-verification may need to be built into renewal workflows, not just new onboarding. 

2. High-Volume Customer RulesAdditional Requirements for Business and Wholesale Accounts 

For customers with origination volumes above what a personal account would typically generate, the FNPRM proposes two additional requirements:  

  • The intended use of the service (marketing, education, political, etc.) 
  • The IP address from which calls will be placed. 

The Lingo Telecom consent order of 2024, as used directly in the FNPRM as the model required collection of: 

  • Legal business name with records 
  • Place of formation 
  • Proof of good standing (within 6 months) 
  • EIN or business registration number 
  • Confirmed physical address 
  • Active phone number 
  • Type of goods/services offered 
  • Name of authorized person representing the customer 

The FCC proposes these for all high-volume customers. This includes wholesale carriers, SIP trunking providers, and ITSPs serving business clients. 

3. Verification with Supporting RecordsNot Just Data Collection  

The FNPRM separates collecting info from verifying it. High-volume accounts need supporting documents like: 

  • Corporate formation records 
  • State-issued proof of good standing 
  • Confirmation of active phone number 
  • Third-party confirmation of physical address 
  • Evidence of commercial presence (website, social media, physical storefront) 

The FCC named specific red flags that should trigger heightened scrutiny or denial of service:  

  • Using registered agents/virtual offices as physical addresses 
  • No registration record in claimed state 
  • New websites with little content 
  • Recently created email addresses 
  • Crypto or non-traceable payments 

For VoIP operators who onboard business customers remotely which is a common practice in the wholesale and SIP trunking market, these requirements represent a meaningful change to current onboarding procedures. 

4. Risk-Based Re-VerificationOngoing Monitoring Obligations  

The FNPRM proposes that re-verification be triggered by traffic pattern changes or behavioral anomalies during an existing customer relationship. The FCC specifically flags:  

  • A domestic US company transmitting call traffic from a foreign IP address 
  • Dormant accounts that suddenly reactivate and generate high call volumes  
  • Traffic patterns inconsistent with the stated account purpose  

This is a departure from a point-in-time onboarding model. Compliance is not satisfied by completing a verification workflow at signup. It requires ongoing monitoring that can trigger re-verification throughout the customer lifecycle.  

5. Four-Year Record Retention  

The FNPRM requires keeping all KYC records and documents for four years after a customer relationship ends. This matches the TCPA statute of limitations for spoofing and intentional violations, allowing FCC enforcement before cases expire. 

For VoIP operators, this creates a records management obligation that needs to be handled at the platform level, not on a case-by-case basis. 

The $2,500 Per-Call PenaltyWhy the Numbers Matter 

The most significant enforcement proposal in the FNPRM is the penalty structure: $2,500 per call for KYC violations, not per customer, not per violation. 

Per-customer penalties limit risk exposure by a manageable amount, no matter how many calls are made from each individual. Per-call penalties scale with each minute spent making calls from a non-compliant customer. One improperly verified but high-volume client can produce exposure in the millions when he makes thousands of calls every day. 

In Q1 2025, the FTC estimated $280 million in consumer losses from scams that began with phone calls. With YouMail estimating 1.9 billion such calls that quarter, this implies about 15 cents average reported loss per call and extrapolating to April suggests $90–100 million more in phone-initiated scam losses. 

Total costs to US consumers from robocall fraud, wasted time, and nuisance are estimated at $13.5 billion annually (FCC cited figure). 

For a wholesale VoIP carrier managing hundreds of business accounts, the risk from one non-compliant customer running high call volumes is not theoretical. It’s proportional to the traffic on the network. 

How ASTPP Supports KYC-Compliant Operator Onboarding 

ASTPP was built for carrier-grade VoIP operations at scale, and several of its core capabilities map directly to what the FCC’s proposed compliance framework requires. 

  • KYC Verification per DID: ASTPP’s DID management system supports country-specific KYC verification requirements, gating DID assignment until customer identity documents are submitted and validated. This addresses the FCC’s proposed onboarding identification and verification requirements at the account level. 
  • Fraud Detection Engine: ASTPP’s fraud detection system monitors call traffic patterns in real time, flagging anomalies that align with the FCC’s proposed re-verification triggers traffic spikes, unusual call patterns, destination mismatches, and dormant account reactivations. 
  • CDR Processing and Retention: ASTPP’s CDR engine captures and retains comprehensive call detail records across customer accounts. The platform’s reporting and audit capabilities provide the documentation layer that KYC compliance requires as an auditable record of customer activity that can support FCC investigations. 
  • Account-Level Allow/Deny Controls: The Allow/Deny list system enables prefix-based call controls at the account level, supporting risk-based traffic management for higher-risk customers or accounts showing anomalous behavior. 
  • Multi-Tenant Architecture: For operators managing wholesale customers across a multi-tenant structure, ASTPP applies compliance and billing controls independently at each account tier. SIP trunking providers and wholesale carriers managing large customer bases can enforce KYC and monitoring requirements per customer without disrupting the broader platform. 

These are platform capabilities that already exist in ASTPP. These were built for the operational reality of running a carrier-grade VoIP business. The FCC’s proposed KYC framework addresses to the same operational problems: who is this customer, what are they doing on the network, anwhat’s the record? 

What Operators Should Do Before the Rules Are Finalized  

The FNPRM is still under the comment period, not yet a final rule. But waiting for finalization before reviewing compliance infrastructure is a mistake. The FCC’s enforcement posture makes clear this direction is settled, even if specific rule text is not. 

The comment period is also an opportunity. Initial comments are due 30 days after Federal Register publication; reply comments 60 days. VoIP operators with positions on the high-volume customer definition, the prepaid/postpaid distinction, or the re-verification trigger thresholds have standing to participate.  

In the meantime, practical steps worth taking now:  

  • Audit current customer onboarding workflows against the five proposed requirement areas  
  • Identify high-volume customer accounts and assess what documentation is currently on file 
  • Review CDR and customer record retention policies against the four-year window 
  • Build traffic anomaly monitoring into ongoing account management, not just onboarding 
  • Consult legal counsel on comment participation if the proposed rules would materially affect your business model 

Operators already running ASTPP have a head start. The platform’s fraud detection, CDR retention, DID-level KYC controls, and account-level traffic management are the infrastructure these rules are designed around. 

What documentation should operators be collecting from high-volume customers now? 

Based on the Lingo Telecom consent decree cited in the FNPRM, operators must collect the below documentation:  

  • Legal business name with supporting records 
  • Corporate formation documents 
  • Proof of good standing dated within six months 
  • EIN or equivalent 
  • Physical address with third-party confirmation 
  • Active telephone number 
  • Stated intended use of the service 
  • Identity of the authorized individual acting on the account. 

Conclusion 

The FCC’s April 2026 KYC FNPRM shifts the compliance focus from the network to the onboarding desk. For VoIP operators, the five proposed requirements:  identification, verification, high-volume account rules, re-verification triggers, and four-year retention, represent a real operational change, not a theoretical future concern. 

Building compliant customer onboarding and traffic monitoring infrastructure now, while the rules are still in comment period, is the better path than reacting after finalization. The enforcement trajectory is clear regardless of what the final rule text looks like. 

ASTPP’s platform was built for this operational reality. Carrier-grade billing, fraud detection, CDR retention, DID-level KYC controls, and multi-tenant account management give operators the foundation the FCC’s proposed framework is built around. 

Ready to see how ASTPP supports carrier-grade, compliant VoIP operations?  

Book a demo Now