FCC’s KYUP FNPRM Signals a Further Shift Toward Prescriptive Robocall Compliance Obligations

The FCC’s latest robocall proposal marks a significant shift from flexible, principles-based expectations to a far more prescriptive compliance regime for voice service providers. The Further Notice of Proposed Rulemaking (FNPRM) would require providers to adopt structured, documented processes for vetting upstream partners (i.e., know your upstream provider (KYUP)), monitoring traffic, and validating caller ID information, while expanding existing obligations to cover all illegal calls – not just high-volume robocall activity – a significant departure from the FCC’s current robocall framework. These proposals build on a parallel and similarly controversial effort by the Commission to expand its “Know-Your-Customer” (KYC) rules, which would impose detailed customer identification, verification, and recordkeeping obligations on originating providers. Like KYUP, the KYC proposal has drawn criticism for its breadth, operational complexity, and potential unintended consequences, including increased compliance costs and heightened risks associated with the collection and retention of sensitive customer data.

At a high level, the KYUP proposal reflects the Commission’s view that existing frameworks have been undermined by inconsistent practices and gaps in enforcement. In response, the FCC is seeking to impose more uniform requirements across the call path, including detailed expectations around information collection, verification, compliance review, and ongoing monitoring of upstream providers. These obligations would be triggered not only at onboarding, but also during contract renewals and whenever new information raises concerns about an upstream partner.

The FNPRM also places a strong emphasis on operationalizing compliance. Providers would be expected to implement formal KYUP programs, maintain records for multiple years, and ensure coordination between business and compliance functions. Continuous monitoring – supported by call analytics and regular compliance checks – would become a core expectation rather than a best practice. At the same time, the FCC is signaling that providers must be prepared to take documented, timely action when issues arise, including refusing or discontinuing service to problematic upstream partners under an “objectively reasonable” standard.

Beyond KYUP, the proposal tightens expectations around STIR/SHAKEN implementation, particularly attestation practices. By codifying attestation standards (A, B, and C) and prohibiting “improper attestation,” the FCC is aiming to eliminate perceived abuses and inconsistencies that have weakened the authentication framework.  The Commission also proposes enhanced oversight of the STIR/SHAKEN Governance Authority and broader participation requirements across all provider types, reflecting a push toward full ecosystem accountability.

The FNPRM suggests that many of these activities – such as due diligence, monitoring, and contractual safeguards – are already being performed by providers, even as it acknowledges the incremental costs associated with formalizing and documenting them. In practical terms, the proposal signals that compliance programs will need to evolve from informal or ad hoc processes to fully developed frameworks supported by documentation, internal controls, and defensible decision-making. As the FCC moves toward more detailed requirements and enhanced oversight, providers should expect increased scrutiny not only of their outcomes, but of the processes they use to manage risk for their voice traffic.