FCC Targets Robocall “Bad Actor” Providers With New Know-Your-Upstream-Provider And STIR/ SHAKEN Proposals

The Federal Communications Commission (FCC) has teed up another significant robocall item for its May 20, 2026 Open Meeting. The draft Further Notice of Proposed Rulemaking (FNPRM), released on April 29, would enhance the STIR/ SHAKEN framework by imposing more specific “Know-Your-Upstream-Provider” (KYUP) obligations, tightening how providers assign STIR/ SHAKEN attestations, and closing implementation gaps that can allow calls to move through the network without reliable authentication information.

The proposal should be viewed together with the Commission’s separate “Know-Your-Customer” (KYC) rulemaking scheduled for consideration at the April 30 Open Meeting. Together, the two items reflect a coordinated FCC push to move robocall compliance from a largely policy-and-certification regime toward a more prescriptive verification, monitoring, documentation, and refusal-of-service framework for voice providers.

If adopted, the FNPRM would not immediately impose final rules. It would, however, start a high-stakes comment cycle for voice service providers, gateway providers, intermediate providers, VoIP resellers, MVNOs, wholesale providers, enterprise-focused voice platforms, and other entities in the call path. Providers should begin assessing whether their onboarding, upstream-provider due diligence, attestation logic, third-party signing arrangements, routing practices, and RMD filings would satisfy the FCC’s proposed baseline obligations.

At-a-Glance

• Proceeding: Call Authentication Trust Anchor; Advanced Methods to Target and Eliminate Unlawful Robocalls, WC Docket No. 17-97; CG Docket No. 17-59
• FCC Action: Draft Further Notice of Proposed Rulemaking scheduled for tentative consideration at the May 20, 2026 Open Meeting
• Core Policy Shift: Shift from flexible KYUP, STIR/ SHAKEN obligations toward more prescriptive baseline rules, documentation, and accountability
• Comment cycle: Comments would be due 30 days after Federal Register publication; replies would be due 60 days after Federal Register publication
• Target Audience: Originating, intermediate, gateway, terminating, wholesale, reseller, VoIP, CMRS, MVNO, and enterprise voice providers, as well as providers relying on third-party authentication services

Why This Matters

• The FCC is targeting providers that enable or carry illegal traffic, not just the end users placing the calls. The draft would press every provider in the call path to play an active role in keeping bad actors out of the voice ecosystem.
• The FNPRM would make upstream-provider vetting more concrete. Providers would need to collect business, ownership, operational, financial, and service-related information; verify authenticity; review regulatory compliance; monitor ongoing activity; and refuse or discontinue service where appropriate.
• The item would make STIR/SHAKEN attestations more enforceable. The Commission proposes to codify A-, B-, and C-level attestation criteria, require providers to satisfy defined conditions before applying higher attestations, and prohibit improper attestations that the FCC views as already implicit in the framework.
• The proposal would expand compliance risk beyond robocall mitigation plans. Provider contracts, onboarding workflows, RMD representations, call analytics, traceback response protocols, certificate/SPC token status, third-party signing agreements, and routing practices could all become relevant to enforcement exposure.
• The FCC is also asking how these proposals could address foreign-originated traffic entering the United States, signaling continued scrutiny of gateway and international call-path practices.

Key Proposals in the Draft FNPRM

1. Establishing Specific Know-Your-Upstream-Provider Requirements

The current KYUP rule requires voice service providers to take reasonable and effective steps to ensure that upstream originating or intermediate providers are not using the provider to carry or process a high volume of illegal traffic onto the U.S. network. The draft FNPRM would revise and strengthen that obligation by requiring each voice service provider to take affirmative, effective measures to prevent an upstream provider from using its network or services to transmit illegal calls.

The FCC proposes five baseline KYUP categories:

Information collection: obtaining core business, ownership, affiliate, financial, operational, and service information from upstream providers.

Compliance review: confirming, among other things, the upstream provider’s Robocall Mitigation Database filing and reviewing whether the filing and robocall mitigation plan appear complete and compliant.

Information verification: conducting due diligence to verify the authenticity and consistency of information provided by the upstream provider.

Monitoring: monitoring upstream-provider activity for indicia of unlawful traffic, suspicious call patterns, traceback evidence, complaint data, or other red flags.

Responsive action: refusing service, suspending service, or discontinuing service when an upstream provider may be the source of illegal calls or otherwise presents unacceptable risk.

The draft would require providers to perform KYUP review before entering into a new upstream-provider agreement, before renewing or renegotiating an existing agreement, and whenever the provider finds, receives, or becomes aware of information suggesting risk. The draft also contemplates a one-time KYUP review for existing upstream-provider relationships after any final rules become effective.

2. Strengthening STIR/ SHAKEN Governance Authority Oversight

The FNPRM would seek to strengthen the role of the STIR/ SHAKEN Governance Authority and related ecosystem controls by proposing improved policies for issuing Service Provider Code (SPC) tokens, selecting Certification Authorities, and enforcing participation rules. The policy objective is to make it harder for bad actor providers to obtain or retain access to the certificates needed to participate in the STIR/ SHAKEN ecosystem.

3. Raising Attestation Standards

The draft FNPRM would codify the A-, B-, and C-level attestation framework and establish more specific criteria for when each attestation may be used. In practical terms, providers applying A-level attestations would need to support both the identity of the customer and the customer’s right to use the calling number. Providers applying B-level attestations would need to have a direct, authenticated relationship with the customer but be unable to establish verified association with the telephone number. C-level attestations would remain appropriate where the provider lacks responsibility for origination or lacks a direct, authenticated relationship with the customer.

The FCC also proposes to codify prohibitions on improper attestations, including practices that overstate the provider’s knowledge of the calling party or the calling party’s right to use the number. This would create clearer enforcement hooks for alleged attestation misuse.

4. Closing STIR/SHAKEN Implementation Loopholes

• Clarify key definitions governing which providers must implement STIR/ SHAKEN, including how obligations apply to initiating, originating, intermediate, gateway, and terminating providers.
• Repeal the two remaining undue hardship extensions to STIR/ SHAKEN implementation.
• Require providers that serve end users directly to make attestation-level decisions for those end users’ SIP calls, even where the provider relies on another entity to perform technical signing.
• Prohibit intentional routing designed to strip authentication information where the provider has a technically available route that preserves authentication information.
• Require blocking of unauthenticated calls in certain circumstances and require intermediate providers to authenticate unauthenticated calls they receive.

5. Addressing Foreign-Originated Calls and Special Circumstances

The FCC seeks comment on whether the proposed KYUP and STIR/SHAKEN reforms would deter illegal calls entering the United States from abroad and whether additional measures are needed for foreign-originated traffic. The draft also asks about special circumstances involving telecommunications relay service providers and public safety safeguards, including protections against blocking emergency communications.

Relationship to the Separate Know-Your-Customer Proceeding

This FNPRM is best read as the upstream-provider counterpart to the Commission’s KYC rulemaking. The KYC item focuses on how originating providers screen new and renewing end-user customers before calls are placed. The KYUP/STIR-SHAKEN item focuses on how providers vet and monitor other voice service providers from which they directly receive traffic and how they authenticate calls within the STIR/ SHAKEN framework.

For providers, the operational takeaway is that robocall compliance may increasingly require two parallel diligence frameworks: customer diligence for end users and provider diligence for upstream interconnection, wholesale, resale, gateway, and intermediate-provider relationships. Providers should ensure those functions are coordinated rather than siloed, because customer onboarding, upstream-provider onboarding, RMD certifications, call analytics, and STIR/SHAKEN attestation logic may all be cross-referenced in a future enforcement inquiry.

Key Compliance Takeaways for Providers

• Inventory upstream-provider relationships. Identify all providers from which the company receives traffic, including wholesale, reseller, gateway, intermediate, and affiliate arrangements.
• Map existing KYUP procedures against the FCC’s proposed baseline categories. Most providers will need more than a contract representation or RMD check to satisfy the proposed framework.
• Review RMD filings and robocall mitigation plans. Ensure descriptions of KYUP practices, STIR/SHAKEN implementation, traceback cooperation, and mitigation measures are current and consistent with actual operations.
• Evaluate attestation decisioning. Confirm who makes attestation-level decisions, what data supports A- and B-level attestations, and how number-use rights are verified and documented.
• Review third-party signing arrangements. Providers using third parties to perform technical signing should confirm that calls are signed with the provider’s own certificate and that the provider—not the vendor—makes attestation-level decisions.
• Assess routing practices. Providers should determine whether any routing practices could be viewed as intentionally stripping authentication information or avoiding authentication-preserving routes.
• Build refusal and discontinuance protocols. The proposed KYUP framework assumes providers will act when upstream-provider risk is identified; companies should prepare escalation, suspension, notice, and termination procedures.
• Prepare to comment. The FNPRM raises important implementation, cost, timing, small-provider, foreign-traffic, privacy, and enforcement questions that could materially affect operational burdens.

Comment Opportunities

If adopted at the May 20 Open Meeting, comments would be due 30 days after publication in the Federal Register, and reply comments would be due 60 days after publication. Providers may wish to develop comments addressing whether the proposed KYUP categories are workable, how much diligence is reasonable before service initiation or renewal, how providers should handle incomplete upstream-provider responses, how to protect sensitive ownership and financial information, and how the Commission should calibrate enforcement for providers acting in good faith.

Because the draft has been released before the Open Meeting in a permit-but-disclose proceeding, advocacy before the Sunshine period may also be available, subject to the FCC’s ex parte rules and any applicable filing requirements.

Next Steps

The CommLaw Group will continue monitoring the Commission’s robocall proceedings closely, including the April KYC item and the May KYUP, STIR/SHAKEN item. Providers should use the period before any final rules are adopted to evaluate their current upstream-provider diligence practices, caller ID authentication operations, and RMD disclosures. Early review may help identify gaps before the Commission converts these proposals into enforceable compliance obligations.

Our firm is actively assisting voice service providers, VoIP providers, resellers, gateway providers, intermediate providers, and enterprise communications platforms in assessing robocall mitigation, KYC/KYUP, STIR/ SHAKEN, RMD, and traceback compliance obligations. Providers interested in filing comments, participating in industry advocacy, or evaluating their compliance posture should contact us promptly.