FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules

The Federal Communications Commission (“FCC”) has adopted rules to address two fraudulent practices that “bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of the consumer’s phone.”

In its recent Report and Order and Further Notice of Proposed Rulemaking released November 16, 2023, the Commission first addressed the practice where bad actors are able to swap a consumer’s subscriber identity module (“SIM”) card to a wireless device associated with a different SIM (i.e., SIM card swap fraud). The agency also acted on wireless number porting fraud, where bad actors impersonate a customer and convince the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls (i.e., port-out fraud). 

The FCC noted that in both cases the bad actor “has acquired the means to take control of many more of the victim’s accounts, which can result in substantial harm to the customer.”  This could include the interception of “text messages and phone calls used to authenticate a customer’s financial, social media and other accounts.” The fraud may provide the means for the bad actor to “gain access to these accounts and then change login credentials, obtain sensitive information, drain bank accounts and sell or try to ransom social media accounts.”  These abuses are successful even in the face of information used by wireless providers to authenticate their customers.

To prevent these instances of fraud the FCC has amended its rules relating to (i) individual customer proprietary network information (“CPNI”), which primarily reflects the customer’s telephone usage, and (ii) number portability, which, for example, allows a consumer to “port” a cell number from one provider to another. The FCC sets baseline rules that are intended “to establish a unform framework across the mobile wireless Prior to conducting a SIM change industry for the types of policies and procedures providers must employ to combat SIM swap and port-out fraud.”

 SIM Swap Fraud – Under amended CPNI rules, wireless providers will now be required to do the following to combat SIM swap fraud:

Port-Out Fraud – The Commission adopts similar requirements relating to:

Other consumer protection measures directed by the Commission to address these fraudulent practices are:

Implementation Timeframe – Wireless providers must comply with these requirements six months after the effective date of the Order, which will be 30 days after publication in the Federal Register, or, for those requirements subject to review by the Office of Management and Budget, upon completion of that review, whichever is later.

Further Notice of Proposed Rulemaking – Finally, the FCC seeks further comment on:

© Copyright 2024 Squire Patton Boggs (US) LLP
National Law Review, Volumess XIII, Number 335