FCC To Consider Strengthening CPNI and Number Porting Rules to Stop Fraudulent SIM Card Swapping and Port-Out
The Federal Communications Commission (FCC) is taking action to protect consumers from SIM swap and port-out fraud. In an upcoming vote on November 15, the FCC will consider new proposed rulemaking aimed at preventing scammers from taking control of people’s mobile accounts through tactics like SIM card swapping and phone number porting. This initiative, which has been in the works since July, is a significant step in safeguarding cell phone users from fraud.
SIM card swapping involves scammers tricking a mobile carrier into believing they are the legitimate customer in need of a new SIM card. Once successful, the scammer gains control over the victim’s phone number, including access to calls and texts. They can then exploit this access for various fraudulent activities, such as purchasing new phones or opening accounts in the victim’s name, sometimes using text messages for verification.
Port-out fraud is another method where scammers impersonate the victim to transfer their phone number to a different carrier and device under the scammer’s control. The proposed rules will help close these security gaps, ultimately protecting consumers.
Rosenworcel’s draft proposed rulemaking would require wireless providers to create “secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider.” Additionally, they would be required to inform customers whenever such a request is initiated on their account.
The draft proposed rulemaking is among the earliest initiatives of the FCC’s recently established Privacy and Data Protection Task Force, which Chairwoman Rosenworcel introduced in June. This task force, led by the head of the FCC’s Enforcement Bureau, is designed to address issues that undermine public trust in data protection and calls for a comprehensive approach involving both government and private sector collaboration.
What the Report and Order Would Do:
- Set baseline requirements that establish a uniform framework across the mobile wireless industry, giving wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available while not impinging on customers’ ability to upgrade and replace their devices or choose their preferred wireless provider.
- Revise the Commission’s Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider and require that providers keep records of SIM change requests and the authentication measures they use.
- Adopt additional rules that reinforce that requirement, including requiring wireless providers to adopt processes for responding to failed authentication attempts, institute employee training for handling SIM swap and port-out fraud, and establish safeguards to prevent employees who interact with customers from accessing CPNI until after customers have been authenticated.
- Adopt rules that will enable customers to act to prevent and address fraudulent SIM changes and number ports, including requiring wireless providers to notify customers regarding SIM change and port-out requests, offer customers the option to lock their accounts to block processing of SIM changes and number ports, and give advanced notice of available account protection mechanisms.
- Establish requirements to minimize the harms of fraud when it occurs, including requiring wireless providers to maintain a clear process for customers to report fraud, promptly investigate and remediate fraud, and promptly provide customers with documentation of fraud involving their accounts.
What the Further Notice Would Do:
- Seek comment on whether to harmonize the Commission’s existing requirements governing customer access to CPNI with the SIM change authentication and protection measures in the Report and Order, and on what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud.
The draft proposed rules will be considered at the FCC November 15 Open Meeting. If it is adopted, interested parties will have 30 days from publication in the Federal Register to submit comments.
CONTACT US NOW if you have questions about data privacy obligations under federal laws and FCC rules
Jonathan S. Marashlian – Tel: 703-714-1313 / E-mail: jsm@CommLawGroup.com
Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@CommLawGroup.com
Diana Bikbaeva – Tel: 703-663-6757 / E-mail: dab@CommLawGroup.com