Before the

Federal Communications Commission

Washington, D.C. 20554

statements.

I. INTRODUCTION...................................................................................................................................1

II. BACKGROUND.....................................................................................................................................4

III. DISCUSSION........................................................................................................................................18

IV. FURTHER NOTICE OF PROPOSED RULEMAKING......................................................................98

V. PROCEDURAL MATTERS...............................................................................................................109

VI. ORDERING CLAUSES......................................................................................................................120

APPENDIX A – FINAL RULES

APPENDIX B – FINAL REGULATORY FLEXIBILITY ANALYSIS

convinces a victim’s wireless provider

victim’s cell phone to a cell phone in the bad actor’s possession. This scam is also known as “SIM

swapping” because it involves an account being fraudulently transferred (or “swapped”) from a device

associated with one subscriber identity module (SIM) to a device associated with a different SIM. In the

second type of scam, the bad actor, posing as the victim, opens an account with a wireless provider other

than the victim’s current provider. The bad actor then arranges for the victim’s phone number to be

transferred (or “ported out”) to the account with the new wireless provider controlled by the bad actor.

opportunistic ways in which bad actors take over customers’ cell phone accounts. In doing so, we

request is made on customers’ accounts, and take additional steps to protect customers from SIM swap

and port-out fraud. Our approach sets baseline requirements that establish a uniform framework across

the mobile wireless industry while giving wireless providers the flexibility to deliver the most advanced

and appropriate fraud protection measures available.

comment on whether to harmonize the existing requirements governing customer access to CPNI

2

with

the SIM change authentication and protection measures we adopt today. We also seek comment on what

steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud.

II. BACKGROUND

incentivized bad actors to find ways to intercept authentication texts and calls. Two techniques they use

to accomplish this involve misuse of mechanisms that enhance competition in the telecommunications

marketplace and ensure that customers can access telecommunications services using the devices and

providers of their choosing: SIM changes and number porting.

they upgrade their cell phone or replace a cell phone that is lost or broken. A SIM facilitates the proper

routing of texts and calls to a customer’s cell phone so long as the SIM associated with the customer’s

phone number is assigned to that customer’s phone.

4

1

2

See id. § 64.2010.

3

For example, a consumer logging in to a bank account might be asked not only to provide the correct username and

password, but also to input a one-time passcode sent via text message to the consumer’s cell phone. Similarly, a

consumer who has forgotten the password for a social media account may be prompted to enter a one-time passcode

sent via text message to the consumer’s cell phone before being allowed to reset the password.

removing a physical SIM card from an old phone and placing it in a new phone, now wireless providers

virtually reassign embedded, electronic SIMs in modern phones from an old phone to a new one.

5

Bad

actors have successfully taken advantage of this legitimate practice by impersonating a customer of a

wireless provider and convincing the provider to reassign the virtual SIM card from the real customer’s

device to a device controlled by the bad actor, a practice known as “SIM swap fraud.”

6

This allows the

bad actor to gain access to information associated with the customer’s account, including CPNI, and gives

the bad actor control of the customer’s phone number so that the bad actor receives the text messages and

assigned passcode) to the new wireless provider. The new wireless provider then sends a request to port

the port”), the two wireless providers coordinate through the numbering administrator to port the

customer’s number to the new wireless provider.

As with SIM swap fraud, bad actors have successfully

taken advantage of this legitimate practice by impersonating a customer of a wireless provider and

convincing the provider to port the real customer’s telephone number to a new wireless provider and a

device that the bad actor controls.

11

customer’s phone number, thereby allowing the bad actor to receive text messages and phone calls

intended for the victim.

either form, the SIM “contains unique information that identifies it to a specific mobile network” and “allows

subscribers to use their mobile devices to receive calls, send SMS messages, or connect to mobile internet services.”

Russell Ware, What is a SIM Card?, Lifewire, https://www.lifewire.com/what-are-sim-cards-577532 (updated May

21, 2021).

5

See FCC, eSIM Cards FAQ, https://www.fcc.gov/consumers/guides/esim-cards-faq (last updated July 10, 2023).

6

CTIA, Protecting Your Wireless Account Against SIM Swap Fraud, https://www.ctia.org/protecting-against-sim-

swap-fraud (last visited Oct. 18, 2023).

7

Order and FNPRM).

9

See Telephone Number Requirements for IP-Enabled Services Providers; Local Number Portability Porting

Optimization, WC Docket No. 07-243 et al., Report and Order, Declaratory Ruling, Order on Remand, and Notice of

Proposed Rulemaking, 22 FCC Rcd 19531, 19555, para. 44 (2007) (2007 VoIP LNP Order or 2007 LNP Four

Fields Declaratory Ruling).

10

See SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14122, para. 6.

11

calls used to authenticate a customer’s financial, social media, and other accounts, the bad actor may have

the means to gain access to these accounts and then change login credentials, obtain sensitive information,

drain bank accounts, and sell or try to ransom social media accounts.

Victims can also be harmed by the

loss of service on their devices—the phone going dark or only allowing 911 calls—which is typically the

first sign that SIM swap or port-out fraud has occurred.

wireless providers— AT&T Mobility, LLC (AT&T), T-Mobile US, Inc. (T-Mobile), Tracfone, US

Mobile, and Verizon Wireless (Verizon)—and called to request a SIM change on each account. The

researchers found that all five wireless providers “used insecure authentication challenges that could

easily be subverted by attackers.”

Specifically, the research team identified six types of information

used by the wireless providers to authenticate their customers that were or could be vulnerable to abuse.

For example, authentication based on recent payment information was exploitable because some wireless

providers do not have systems that prevent a bad actor from purchasing a refill card and submitting it on a

Id.

23

Id. at 1.

24

Id.

25

47 U.S.C. § 222. See also Implementation of the Telecommunications Act of 1996: Telecommunications

Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, et al., CC Docket

Nos. 96-115, et al., Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409, 14419-20, paras.

12-14 (1999) (CPNI Reconsideration Order) (denying petitions for reconsideration and forbearance seeking

proprietary information of and relating to their customers, among others.

26

that a carrier may only use, disclose, or permit access to individually identifiable CPNI that it has

received or obtained by virtue of its provision of a telecommunications service: (1) as required by law;

(2) with the customer’s approval; or (3) in its provision of the telecommunications service from which

such information is derived or its provision of services necessary to, or used in, the provision of such

telecommunications service.

CPNI is defined as “(A) information that relates to the quantity, technical

configuration, type, destination, location, and amount of use of a telecommunications service subscribed

Commission adopted a set of rules designed to ensure that telecommunications carriers establish effective

safeguards to protect against unauthorized use or disclosure of CPNI.

31

Among other things, the

Commission required telecommunications carriers to train their personnel as to when they are and are not

authorized to use CPNI and required carriers to have an express disciplinary process in place for when

personnel improperly use CPNI.

32

In addition, the Commission required each carrier to annually certify

its compliance with the CPNI requirements and to make this certification publicly available.

33

(Continued from previous page)

different treatment for wireless providers under the Commission’s CPNI rules, concluding that “there is nothing in

222(f) provides that for purposes of section 222(c)(1), without the “express prior authorization” of the customer, a

customer shall not be considered to have approved the use or disclosure of or access to (1) call location

information concerning the user of a commercial mobile service or (2) automatic crash notification information of

any person other than for use in the operation of an automatic crash notification system. Id. § 222(f). Section

222(d) delineates certain exceptions to the general principle of confidentiality, including permitting a carrier to

use, disclose, or permit access to CPNI obtained from its customers to protect telecommunications services users

“from fraudulent, abusive, or unlawful use of, or subscription to” telecommunications services.

28

47 U.S.C. § 222(h)(1).

29

Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061 (1998) (CPNI Order).

31

See id. at 8195, paras. 193-202; 47 CFR §§ 64.2001-2009 (1998).

32

See 47 CFR § 64.2009(b) (1998); see also CPNI Order, 13 FCC Rcd at 8198, para. 198.

33

47 CFR § 64.2009(e) (1998); see also CPNI Order, 13 FCC Rcd at 8199, para. 201; CPNI Reconsideration Order,

14 FCC Rcd at 14468-69, n.331 (clarifying that carriers must “make these certifications available for public

inspection, copying and/or printing at any time during regular business hours at a centrally located business office of

the carrier”).

which a bad actor pretends to be a particular customer or other authorized person to obtain access to that

customer’s call detail or other private communications records.

The Commission concluded that

“pretexters have been successful at gaining unauthorized access to CPNI”

and that “carriers’ record on

protecting CPNI demonstrate[d] that the Commission must take additional steps to protect customers

from carriers that have failed to adequately protect CPNI.”

The new amendments to the rules restricted

the release of call detail information

based on customer-initiated telephone contact, imposed password

42

34

2007 CPNI Order, 22 FCC Rcd at 6928, para. 1 & n.1.

35

Id. at 6934, para. 12.

36

Id. at 6933.

37

The Commission defined “call detail” information to include “any information that pertains to the transmission of

specific telephone calls including, for outbound calls, the number called, and the time, location, or duration of any

call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any

40

47 CFR § 64.2010(f).

42

2007 CPNI Order, 22 FCC Rcd at 6943-45, paras. 26-32; 47 CFR § 64.2011.

44

Id. at 6956, para. 56; see also id. at 6954-57, paras. 54-59. We note that, in 2008, Congress ratified the

Commission’s decision to apply section 222’s requirements to interconnected VoIP by adding language to section

222 that expressly covers “IP-enabled voice service,” defined by reference to the Commission’s definition of

“interconnected VoIP service.” See New and Emerging Technologies 911 Improvement Act of 2008, Pub. L. No.

110-283 (2008); 47 U.S.C. § 222(d)(4), (f)(1), (g) (applying provisions of section 222 to “IP-enabled voice

service”); id. § 615b(8) (defining “IP-enabled voice service” as having “the meaning given the term ‘interconnected

prohibitions both on obtaining CPNI from a telecommunications carrier and on the sale, transfer,

purchase, or receipt of fraudulently obtained CPNI.

45

ability of users of telecommunications services to retain, at the same location, existing

telecommunications numbers without impairment of quality, reliability, or convenience when switching

from one telecommunications carrier to another.”

47

Section 251(e)(1) of the Act gives the Commission

48

from the statutory definition of “local exchange carrier,”

49

the Commission extended the LNP obligations

to CMRS providers pursuant to its independent authority in sections 1, 2, 4(i) and 332 of the Act.

50

Wireless providers have been required to provide wireless number portability since 2003.

51

45

Telephone Records and Privacy Protection Act of 2006, Pub. L. 109-476, 120 Stat. 3568 (2007) (codified at 18

U.S.C. § 1039).

46

47 U.S.C. § 251(b)(2).

47

47 U.S.C. § 153(37); 47 CFR § 52.21(m). The Commission has interpreted this language to mean that consumers

must be able to change providers while keeping their telephone number as easily as they may change providers

without taking their telephone number with them. See Telephone Number Portability; Carrier Requests for

47 U.S.C. § 153(32).

50

See Telephone Number Portability, CC Docket No. 95-116, First Report and Order and Further Notice of

Proposed Rulemaking, 11 FCC Rcd 8352, 8431, para. 153 (1996) (First Number Portability Order); Telephone

Number Portability, CC Docket No. 95-116, First Memorandum Opinion and Order on Reconsideration, 12 FCC

Rcd 7236, 7315-17, paras. 140-42 (1997) (First Number Portability Order on Reconsideration) (affirming the

Commission’s decision to impose number portability obligations on CMRS providers).

51

See 47 CFR § 52.31(a); see also First Number Portability Order, 11 FCC Rcd at 8439-41, paras. 164-68

(discussing implementation schedule for CMRS providers); see also Cellular Telecommunications Industry

95-116, Memorandum Opinion and Order, 17 FCC Rcd 14972, 14981-86, paras. 23-31 (2002) (extending the

implementation deadline for CMRS providers in the top 100 MSAs until November 24, 2003).

52

See Wireless Number Portability Order, 18 FCC Rcd at 20978, para. 24.

53

See 2007 LNP Four Fields Declaratory Ruling, 22 FCC Rcd at 19553, para. 42.

simple

on no more than four fields: (1) 10-digit telephone number; (2) customer account number; (3) five-digit

ZIP code; and (4) passcode (if applicable).

carrier, who then provides it to the old carrier in order to validate the request.

expanded and standardized the information exchanged between carriers when they execute a simple

wireline or intermodal port, which it concluded was necessary to ensure carriers could accomplish ports

within a one-business day porting interval the Commission established in 2009.

57

The Commission

54

A simple port is a port that (1) does not involve unbundled network elements; (2) involves an account only for a

single line; (3) does not include complex switch translations (e.g., Centrex, ISDN, AIN services, remote call

– which indicates that the new service provider initiating the port request has an authorization to initiate a port on

when requesting a port, some of the information described above is supplied by the customer to the new or gaining

apply these new requirements to providers of commercial mobile radio service (CMRS), as defined in

section 20.3 of Title 47 of the Code of Federal Regulations,

93

these new requirements to all SIM changes that wireless providers perform.

wireless providers to implement these rules with respect to customers of both pre-paid and post-paid

services, consistent with the protections afforded by section 222. We see no reason why the protections

should not apply to all customers of CMRS, including customers of resellers, particularly considering

indications in the record that pre-paid customers are disproportionately impacted by fraud and that many

1. Customer Authentication Requirements

agent, or other person acting for or employed by any common carrier or user, acting within the scope of his

employment.” 47 U.S.C. § 217.

majority of SIM changes do not raise security concerns,” Verizon Comments at 6, but Verizon did not explain how

carriers may know that certain SIM changes are lower risk than others and its assertion did not receive support in the

record, so we decline to limit the applicability of our requirements to only certain SIM changes.

(continued….)

“SIM,” for purposes of these rules, as “a physical or virtual card associated with a device that stores

unique information that can be identified to a specific mobile network.”

99

The record reflects significant

support for strengthening authentication requirements for SIM change requests,

and we find that the

requirement we adopt today most appropriately balances the need to increase protection for customers

from these types of fraudulent schemes while providing wireless providers the flexibility the record shows

they need to respond to new and emerging threats.

security authentication standard will afford customers the highest level of protection by allowing wireless

increasing risk of fraud”); Princeton Comments at 2 (“We support the Commission’s proposal to require that carriers

complete strong customer authentication before effectuating a SIM swap.”); Somos Comments at 2 (“It should be

required that trusted identity verification and validation, as qualification of a SIM swap transaction must be

implemented.”); ATL Comments at 1 (supporting “additional fraud prevention methods and requiring all carriers to

adopt secure methods of authenticating a customer before SIM changes”); Prove Comments at 2-3 (“Prove believes

that carriers should securely authenticate customers prior to effectuating any SIM swap or port-out request.”).

101

Comments at 12-13; NCTA Comments at 2-6; Somos Comments at 2; CTIA Reply at 15.

102

possession, reputation, and ownership); Princeton Comments at 5-6, 12 (supporting the use of multi-factor

combination of technology and human solutions, with examples provided); BPI/BITS Comments at 2-3 (expressing

support for “app-based push notification to a trusted mobile device, biometrics identifiers, or cryptographic keys,”

3 IAL2, AAL2, and FAL2 before authorizing SIM Swap and Port-Out transactions.”); iProov Comments at 5-7

methods, in ways that both account for advances in the technology and tactics used by bad actors and that

work best for their customers and the particular services they offer.

Additionally, we believe this

flexibility alleviates record concerns about the limited information wireless providers may have to

authenticate customers of pre-paid accounts.

establishes a requirement that wireless providers regularly, but not less than annually, review and, as

necessary, update their customer authentication methods to ensure those methods continue to be secure.

authentication, both permitting and obligating wireless providers to design effective methods to

authenticate customers, we decline to enumerate the four specific authentication methods the Commission

authentication methods.

We are convinced by the record that specifying approved authentication

is for organizations to deploy risk-appropriate authentication practices.”); T-Mobile Comments at 2 (“Organizations

should use authentication measures that correspond to the value and sensitivity of the accounts involved.”).

104

context” and that “providers ordinarily do not collect or have detailed identity information for pre-paid customers”);

T-Mobile Comments at 8 (stating that “[p]repaid service generally does not require identity validation for account

set-up”); CCA Comments at 6 (noting that pre-paid customers “often do not provide an accurate address or other

identifying information, making it difficult for carriers to authenticate an account request”); CTIA Comments at 19-

105

be more user-friendly as well.”); Better Identity Coalition Comments at 5-6 (explaining that some forms of multi-

factor authentication can be subject to phishing, but other forms are phishing resistant); iProov Comments at 5-7

(explaining that some biometrics can be vulnerable to social engineering and that device-based biometrics are not as

secure as cloud-based biometrics).

107

message to the account phone number or a pre-registered backup number; (iii) a one-time passcode sent via e-mail

to the e-mail address associated with the account; or (iv) a passcode sent using a voice call to the account phone

number or a preregistered back-up telephone number. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130,

para. 23. No commenters supported our imposing these as the exclusive forms of authentication.

adopting new methods to address evolving techniques used by bad actors.

108

Further, some commenters

assert that requiring specific authentication methods would be burdensome for wireless providers.

109

Additionally, the record reflects that setting specific authentication methods could provide a roadmap for

bad actors seeking to commit fraud.

The record also highlights potential vulnerabilities of the four

authentication methods we proposed,

111

which counsels against us codifying these as secure methods of

authentication in perpetuity. For these reasons, we conclude it is most appropriate to allow wireless

providers to analyze and implement the most effective and secure methods of authenticating customers

information do not constitute secure methods of authentication.

discourage the use of stronger, more innovative approaches to authentication.”); FIDO Alliance Comments at 3

(arguing that reliance on the four specified authentication methods may disincentive carriers to adopt stronger

authentication measures).

109

SIM swap would impose tremendous burdens on carriers and customers without clear additional benefit”); Prove

Comments at 2 (“The authentication protocols proposed in the NPRM are, however, overly prescriptive, out-of-date

110

roadmap to bad actors”); CTIA Comments at 10-11 (“[I]f every provider authenticates requests in the same way,

Technology (NIST) Digital Identity Guidelines or other standards proposed in the record. See SIM Swap and Port-

Out Fraud Notice, 36 FCC Rcd at 14132, para. 28. See CTIA Reply at 18-19 (arguing that while the NIST Digital

Identity Guidelines or FIDO Standards might be useful tools, they should not be mandated); Better Identity

Coalition Comments at 5 (asserting that while the NIST guidelines are a helpful reference point, they should not be

the basis of the Commission’s regulation because they are only updated every 5-7 years and reliance on them “could

inadvertently preclude innovation that might better guard against attacks”); iProov Comments at 8; T-Mobile

Comments at 13 (asserting that the NIST guidelines are a good reference point for best practices but are not a

suitable compliance tool). But see ID.me Comments at 4 (“The FCC should require carriers to comply with NIST

SP 800-63-3 IAL2, AAL2, and FAL2 before authorizing SIM Swap and Port-Out transactions.”).

113

at 8. We believe that such an exception would establish a significant loophole for fraudulent activity and note that in

(continued….)

requests, but we strongly encourage wireless providers to use this mechanism only when paired with other

secure methods of authentication, i.e., as part of multi-factor authentication (MFA).

and Port-Out Fraud Notice, we sought comment on the potential security vulnerabilities of SMS-based

authentication.

115

The record clearly expresses concern about the security risks of SMS-based

authentication when used by third parties, such as financial institutions, largely because this

authentication method becomes vulnerable following fraudulent SIM swaps.

116

117

authentication with secure methods of authentication and replace it with language encouraging wireless providers to

“consider the context in which SMS is deployed, consistent with the discussion in the record” based on the assertion

that wireless providers are “are best suited to determine when and how SMS authentication can be securely deployed

with their own customers on their own networks.” CTIA Nov. 8, 2023 Ex Parte Letter at 11. The existing language

permits providers to make determinations about the best use of SMS-based authentication and simply encourages

that it be paired with more secure authentication measures.

115

116

services, including organizations like financial and crypto service providers, to rely on to authenticate their end

users.”); T-Mobile Comments at 14 (“Entities with sensitive consumer information or assets (e.g., financial services,

cryptocurrency wallets, healthcare, insurance, etc.) should be encouraged to use appropriate authentication methods

that correspond to the sensitivity of accounts or transactions. SMS as the second factor should not necessarily be the

sole authentication method.”); Yubico Comments at 1 (“[A]uthentication based on a person’s phone number that can

be SIM Swapped is not a sustainable model due to the fact that the phone number is not fully controlled by the end

user.”); FIDO Alliance Comments at 2 (explaining how fraudulent SIM swaps allow criminals and foreign

adversaries “to undermine some weaker forms of multi-factor authentication (MFA) such as one-time passcodes

(OTPs) transmitted via SMS”); Better Identity Coalition Comments at 2 (noting that attackers trick customers into

handing over OTPs sent via SMS when used in other sectors). Several commenters assert that the use of SMS-based

authentication by third parties creates significant incentive for bad actors to carry out SIM swap fraud. See, e.g.,

Better Identity Coalition Comments at 2 (asserting that the fact that SMS “is widely used as an authentication

method [by many companies and organizations] has created incentives for criminals to launch SIM Swap attacks”);

FIDO Alliance Comments at 3 (“To truly eliminate SIM Swap attacks, the best way to do so is to get companies and

(“[T]he reliance of financial and cryptocurrency firms on SMS for authentication is driving fraudsters to constantly

pursue new avenues of SIM and porting fraud.”).

of its low cost and easy use’” (quoting the FTC’s Safeguards Rule)); AT&T Comments at 6 (noting that “[a]t a

(“We support allowing SMS and voice call authentication methods when the carrier can deliver the passcode

exclusively over its own network and to a specific known device (e.g., smartphone) or point of service (e.g., landline

in some instances, it may be the most practical means a provider can authenticate a customer, particularly

when considering the needs of a particular customer.

We anticipate that the approach we take here

strikes the right balance between protecting customers against SIM swap fraud while preserving the

relative ease with which customers can obtain legitimate SIM changes. We emphasize, however, that our

rules create an ongoing obligation that wireless providers ensure the authentication methods they use are

secure. Accordingly, permitting wireless providers to use SMS-based authentication does not create a

safe harbor for use of this authentication method. We will continue to monitor the use of SMS-based

(Continued from previous page)

Reply at 16 (acknowledging that a OTP sent via SMS may not be useful in the case of a lost or stolen phone, but that

it “may be perfectly appropriate [for SIM change authentications] when the customer is in possession of the

device”). In the SIM Swap and Port-Out Fraud Notice, we highlighted an investigation which found that SMS-

based text messages could be easily intercepted and re-routed using a low-cost, online marketing service, but we

also explained that wireless providers had reportedly mitigated that vulnerability and no commenters raised this as a

concern in the record. SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14130-31, para. 24.

118

other identifying information, making it difficult for carriers to authenticate an account request with this kind of

information.”); CTIA Reply at 16 (“[T]he record makes clear that customer needs vary, for example as between

consumer and business customers, and that those variable customer needs inform authentication practices.”). We

recognize that SMS-based authentication also is a common authentication method used by wireless providers. See,

e.g., AT&T Comments at 6 (“AT&T routinely uses a one-time PIN delivered via SMS message or an outbound

methods and reevaluate whether to retain them.”).

120

provider shall not notify a primary account holder of a survivor’s request for a SIM change when made in

connection with a line separation request pursuant to 47 U.S.C. § 345 and this subpart).

121

authentication attempts.

While the SIM Swap and Port-Out Fraud Notice raised these issues, no

commenters offered evidence to counter the researchers’ findings. Without procedures in place to

respond to failed authentication attempts, bad actors can seek to circumvent wireless provider

authentication mechanisms to fraudulently obtain a SIM change. We anticipate that requiring wireless

providers to establish procedures to respond to failed authentication attempts that are reasonably designed

to prevent unauthorized access to a customer’s account will impede these fraud attempts. We conclude

that whatever burdens may be associated with this requirement are outweighed by the Commission’s

in connection with a SIM change request. We find that anchoring this rule in a reasonableness standard

activity.

implementation of such procedures only where a wireless provider has reason to believe multiple

authentication attempts are fraudulent; CTIA does not address how such determinations would be made

absent the very procedures we require.

notify customers in the event of multiple failed authentication attempts in connection with SIM change

requests.

Industry commenters assert that “in many cases, providers will not be able to discern whether

a failed authentication attempt is ‘in connection with a SIM change request’ or some other type of

transaction involving account access for which authentication is needed and fails,” and that “a carrier does

not typically know why a customer authenticates until after the customer has successfully

authentication attempts because users attempt to access their accounts across various platforms, such as over the

phone, online, or in retail stores run by the carrier or a third party); CTIA Comments at 16 (“[D]eveloping

procedures to track multiple failed authentication attempts as contemplated in the NPRM would be challenging for

providers, as authentication attempts may occur across different settings (e.g., in person, online, or over the phone)

128

responding to multiple failed authentication attempts “where a carrier has reason to believe such attempts are

fraudulent” implies that wireless carriers can and do track multiple authentication attempts, or, at a minimum, are

technically capable of doing so.

multiple failed authentication attempts associated with a SIM change request is not appropriate at this

time. However, we seek comment in the Further Notice below whether we should require wireless

providers, or all telecommunications carriers, to notify customers immediately of all failed authentication

attempts to help protect customers from account fraud, as well as how wireless providers could implement

a customer notice requirement for multiple failed authentication attempts.

3. Customer Notification of SIM Change Requests

covered provider from notifying a primary account holder of a survivor’s request for a SIM change when made in

connection with a line separation request pursuant to 47 U.S.C. § 345 and the implementing rules).

133

SIM swap attempts.”); T-Mobile Comments at 2 (“The Commission should adopt its proposal to require reasonable

efforts to notify users of port-out requests and SIM changes.”); DC Stone Comments (Express) (“At the

consumers[’] option, no SIM porting should be permitted without first sending a notifying email (or SMS message)

to a prearranged contact email address (or phone number).”); see also Verizon Comments at 6 (“[N]otifying the

customer of attempted and/or executed SIM changes, can be useful tools in some cases.”).

(continued….)

notification before the request is processed will prevent the notification from being sent to the bad actor

after a SIM swap has occurred. For these reasons, we agree with Princeton University that “[t]here is an

unambiguous and material security upside,” to immediate customer notification of SIM change requests,

and “the only downside is a very infrequent notification that the customer can easily discard” for

legitimate requests.

this rule, wireless providers will be forced to inundate their customers with the required notifications.

we do not anticipate that the notification

instances and therefore will only need to update their processes to notify customers in all cases.

instances” but that notifications “must be weighed against other goals, and in general, avoid unnecessary friction in

SIM change request notification requirement “either to 1) standalone SIM transactions—i.e., SIM swaps that do not

Letter); see also CTIA Nov. 8, 2023 Ex Parte Letter at 8 (requesting similar SIM transaction notification limitations

threshold, it will require customers confirm the SIM change request via an SMS notification); T-Mobile Comments

(continued….)

Additionally, as discussed below, we give wireless providers flexibility on how to provide the required

notifications, which we expect further minimizes any potential burdens associated with our new rule.

In any event, we find that the benefits of our notification requirement outweigh the potential burdens.

regarding SIM change requests involving a customer’s account, but specify that the notifications must be

reasonably designed to reach the customer associated with the account,

customer preferences, if indicated.

Although some commenters suggest that we should specify the

means by which a wireless provider should deliver SIM change request notifications,

industry commenters that providers need flexibility to determine the most appropriate method to notify

notification that are most likely to reach the customer under those circumstances, such as an email or a

send notifications in accordance with customer preferences, needs, and established expectations.

149

146

147

their customers via the means they deem to be most effective in a particular context.”). Our rule also gives carriers

the flexibility to design a notification process that accommodates scenarios beyond individual customers, such as a

customers that have both a dedicated account representative and a contract that specifically addresses the carriers’

148

(continued….)

us, that requiring wireless providers to limit access to CPNI by employees who receive inbound customer

communications until after the customer has been properly authenticated will help to minimize the

incidences of SIM swap fraud by preventing customer service representatives from inadvertently or

intentionally assisting bad actors in fraudulent schemes.

We are persuaded that, even with the customer

service representative training requirements we adopt today,

189

customer communications to access CPNI prior to proper authentication of the customer is unnecessary

and possibly “invites adversaries to exploit sympathetic, inattentive, or malicious customer service

191

unnecessary exposure of customer data and a violation of the information security principle of minimizing system

who receive inbound customer communications until after the customer has been properly authenticated

to minimize customer account fraud.

195

every SIM change.

protection mechanism and encourage wireless providers to use this procedure when appropriate,

persuaded by AT&T’s argument that requiring this procedure for every SIM change would be a

other requirements proposed in the record concerning customer service representatives who perform SIM

changes. Specifically, a mandate that employees who perform SIM swaps be subject to enhanced

background checks

to swipe a company badge when entering secure facilities is a good practice that we encourage wireless

198

and would remain susceptible to social engineering and collusion. Also, it is unclear how the second employee

would evaluate the transaction separately from the first employee, or what would happen if, as can occur, a second

employee is not available. Last, the frequency (and thus sheer number) of legitimate SIM changes makes this

suggestion infeasible in practice.”).

199

200

carriers, banks and cryptocurrency exchanges are closed. Carriers must be required to have heightened SIM swap

7. Telecommunications Carriers’ Duty to Protect CPNI

baseline, protections against SIM swap fraud. To ensure that wireless providers adapt their security

fraud,

“protect the confidentiality of proprietary information of, and relating to . . . customers,”

and their

continuing preexisting legal obligation to “take reasonable measures to discover and protect against

attempts to gain unauthorized access to CPNI.”

incidents to determine how the fraud occurred and implement measures to prevent such tactics from being

successful again in the future.

210

ripe to strengthen our number porting rules with baseline measures to increase the protections for

customers against fraudulent port-outs. As with our new SIM change rules, the backbone of our new

204

these bad actors – above and beyond existing regulatory requirements and those proposed in the NPRM,” including

scanning an in-store customer’s ID with technology to verify its authenticity, utilizing data analytics to assess a

11; CTIA Reply at 15-16; Verizon Comments at 5; Somos Comments at 2.

206

207

discover and protect against fraudulent activity beyond what is specifically dictated by the Commission’s rules.”).

208

engages in ongoing, proactive threat evaluation, and information collection on threats and fraud for internal

number porting rules is a requirement that wireless providers use secure methods to authenticate

customers that are reasonably designed to confirm a customer’s identity prior to effectuating number

ports, and we also require wireless providers to notify customers of port-out requests and allow customers

to lock their accounts to prevent port-outs.

To future-proof our requirements, we give wireless

providers flexibility in how to implement them. We anticipate that these new rules will work together to

provide meaningful protection to customers while preserving the efficient and effective processing of

port-out requests that promotes customer choice and competition. As with our new SIM change rules, we

212

1. Customer Authentication Requirements

authenticate customers that are reasonably designed to confirm a customer’s identity before completing a

technology and tactics used by bad actors, providing the greatest protection for customers, and enabling

providers to implement authentication methods in ways that work best for the particular services they

offer.

211

212

213

214

216

authenticate, using multiple authentication methods if necessary, that a survivor requesting a line separation is a user

of a specific line or lines. See Safe Connections Order, FCC 23-96, at para. 52. Covered providers must use

methods that are reasonably designed to confirm the survivor is actually a user of the specified line(s) on the account

when the survivor is not the primary account holder or a designated user. See id. To the extent this requirement

authentication requirements the Commission adopts to implement 47 U.S.C. § 345 serve as an exception to those

other requirements. See id.

217

218

for authenticating customers outweigh speculative concerns that absent standardized authentication

methods, nationwide providers could arbitrarily determine which authentication methods or controls are

sufficient before effectuating ports.

We also agree with CCA that our approach will better serve small

wireless providers by permitting them to “use technologies that are reasonably available and have choice

in the approach to take in authenticating their customers.”

221

Additionally, as we concluded with regard to

authentication for SIM changes, this flexible approach should resolve concerns about authenticating

customers of pre-paid accounts.

requirements, and thus, we require that the secure authentication methods wireless providers adopt

223

(“Flexibility is a critical attribute in any authentication standard: it will help prevent authentication practices from

lagging behind bad actor tactics, it will facilitate continued improvements in authentication practices, and it will help

providers be able to continue to meet customer needs.”); CCA Comments at 5 (explaining that flexibility will allow

carriers to adopt future authentication technologies that “prove[] to be more effective or secure than today’s

technologies”); Princeton Comments at 4 (“We strongly agree that the Commission’s customer authentication rules

should not be technically prescriptive. Authentication methods and security practices continue to evolve, and

carriers should be welcome—and encouraged—to adopt innovative safeguards.”); Verizon Comments at 10-11

(“[P]roviders should retain the flexibility they enjoy today to nimbly adopt new authentication safeguards to stay

ahead of bad actors.”); with RWA Comments at 12-13 (raising concerns that without a “set of uniform

authentication standards” nationwide carriers could “arbitrarily determine which authentication methods or controls

221

operate against in adopting security measures. Smaller carriers may have more limited app or e-commerce

platforms, and may not currently have the capability, for example, to generate a one-time port out PIN via an app on

a 24/7/365 basis.”); but see ID.me Comments at 6-7 (describing its 530 commercial partners, many of which are

“smaller businesses with smaller use cases” and asserting that “[c]omplying with NIST guidelines does not pose any

difficulties for smaller providers when the integration is enabled by a turnkey, SaaS, credential service provider

operating with open protocols”).

222

“[l]ow-income households and households of color [that] are also likely to have limited bandwidth available to use

on their mobile phones, making online authentication more difficult for them”); CCA Comments at 7 (“CCA

members report experience with potential incoming customers who are unable to find the port PIN provided by their

requiring a one-time port-out PIN obtained through a provider app is an effective means for

authenticating customers with a data-enabled smart phone, but that authentication measure may not be a

feasible option for customers without data plans or smartphones, or for those customers who are unable to

navigate the technology. As such, this requirement may necessitate the use of multiple authentication

methods, such as in-person authentication using government-issued identification, over-the-phone

authentication, or alternative methods for individuals with disabilities.

port-out will be burdensome to wireless providers or unreasonably delay the processing of port-out

requests. The record reflects that many wireless providers have already developed and implemented

some form of customer authentication for port-out requests.

streamline implementation and costs. We expect wireless providers to design and implement customer

226

2. Customer Notification of Port-Out Requests

(Continued from previous page)

current provider and experience significant frustration” and “especially those who are older or less familiar with

technology, may be deterred from selecting a provider who may offer a better service”); Verizon Comments at 6

(noting that in-store customers may be less tech savvy and so flexibility with authentication is necessary).

224

an outbound voice call to a postpaid customer’s device for enhanced customer validation,” and its “Number Transfer

PIN process to validate postpaid port-out transactions”); CCA Comments at 3-4 (describing U.S. Cellular’s

assigning of a PIN code to each customer that is used for customer authentication); Better Identity Coalition

Comments at 4 (noting that “two major mobile network operators already support FIDO authentication for their

customers”); NCTA Comments at 4-5 (describing authentication measures some wireless providers already use,

including account PINs); T-Mobile Comments at 4 (“T-Mobile offers various customer authentication options,

which may vary based on customer, account, and device characteristics. T-Mobile customers set up an individual 6-

to-15 digit PIN that can be used to verify the customer’s identity when calling customer service. . . . T-Mobile

customers must provide their PIN when requesting a port-out associated with that account. Most customers that

the Commission’s rules implementing that Act.

We require that wireless providers notify their

customers “immediately” of a porting request to not only ensure that porting requests are processed

efficiently, but also help alert customers quickly to potential fraud to allow them to mitigate damages and

inconvenience resulting from fraudulent or inadvertent port-outs.

provide a uniform safety measure for all port-out requests across the mobile wireless industry, which we

anticipate will reduce the instances of port-out fraud.

providing port-out notifications or particular content and wording for these notifications, but do require

that the notification methods be reasonably designed to reach the customer associated with the account

and that the content and wording use clear and concise language that provides sufficient information to

recognize that wireless providers are in the best position to determine which notification methods and

encourage wireless providers to leverage existing notification methods that are reasonably designed to

developed to stay responsive to evolving fraud schemes.

porting-out process. Second, because wireless providers are already familiar with notifying customers

opportunity to prevent account takeovers before they are completed”).

230

232

push notification through wireless provider software applications. Verizon Comments at 6 (“Providers also should

transaction.”).

at 4 (noting that as part of its efforts to “help customers secure their accounts, T-Mobile notifies customers of

account changes and requests”); Verizon Comments at 6 (“Verizon already employs (or is on track to employ) many

of the methods identified in the NPRM, such as notifying customers of high-risk SIM change authentication

(continued….)

requests,

we anticipate that wireless providers will face low burdens in implementing today’s customer

notification requirement for port-out requests. We also expect that these existing notification systems can

be leveraged to help minimize any potential costs associated with notifying customers of port-out

requests. Third, we disagree with AT&T’s assertion that customer notification of port-out requests will

result in notice fatigue, undermining its efficacy.

Nothing in the record supports the notion that

customers request port-outs at such a rate that, upon the adoption of this rule, wireless providers will be

forced to inundate their customers with the required notifications.

As such, we conclude that the

port-outs.

heightened security measures”); see also Wireless Number Portability Order, 18 FCC Rcd at 10975-76, paras. 14-

16.

the option to lock port requests, similar to an account freeze, in order to prohibit unauthorized requests.”); DC Stone

Comments (Express) at 1 (arguing that account locks are “an effective tool for concerned or savvy consumers to

prevent unauthorized account activity and especially fraud, just as with credit reporting agencies”); NCLC/EPIC

Comments at 11 (explaining that “the ability to freeze one’s own account is an excellent way for an individual

240

(continued….)

comply with the measure.

or methods for customers to unlock or unfreeze their accounts or impose a waiting period before an

unlocked account can be transferred, and as such, we decline to do so at this time. Although we do not

prescribe the exact form of the account lock mechanism wireless providers must adopt, the process to

activate and deactivate an account lock must not be unduly burdensome for customers such that it

effectively inhibits them from implementing their choice.

244

We stress that when activated, wireless

to those customers that a lock has been activated with instructions on how the customers can deactivate

out lock must be limited in duration and extend only so long as the high risk of fraud is evident to the

methods wireless carriers must employ to combat fraudulent SIM swaps and port-outs”); CTIA Reply at 26-27

245

247

provider. In establishing this limitation, we intend to prohibit wireless provider abuse of port-out locks to

avoid, among other outcomes, preventing the customer from terminating service with the provider or

moving to another competing provider.

voluntarily offer account locks to all their customers,

we are unpersuaded by AT&T’s claim that implementing account lock offerings will be unduly costly and

time-consuming for wireless providers.

we find that they are outweighed by the benefits.

4. Wireless Port Validation Fields

T-Mobile Comments at 4 & 11 (“Qualifying customers may wish to enable safeguards such as setting up account

takeover protection—a free feature that prohibits unauthorized users from porting the customer’s phone line to

another wireless carrier.”); NCTA Comments at 4-5 (“Wireless providers already engage in many [measures to

prevent SIM swap and port-out fraud] today, including . . . providing the ability to lock or freeze wireless

accounts.”); see also Verizon, Additional Support Information, https://www.verizon.com/support/port-out-

faqs/#setup-freeze (last visited Oct. 18, 2022) (offering a “Number Lock” service that is a customer-managed

porting freeze option accessible by dialing 611 or through the MyVerizon app); T-Mobile, Account Takeover

Protection by T-Mobile, https://www.t-mobile.com/support/plans-features/account-takeover-protection (last visited

Oct. 18, 2023) (providing information on its Account Takeover Protection feature, which “adds additional security

to your account by blocking unauthorized users from transferring your lines to another wireless carrier”).

254

255

code is of limited use for verification given its wide availability” and its use to complete porting requests “has

resulted in unnecessary confusion”) with CCA Comments at 6-7 (noting that data fields should not be mandatory as

flexibility allows carriers to respond to “security needs and capabilities”); AT&T Comments at 15 & n.15

(“Proposed rule § 52.37(a) – (c), addressing data fields to validate a port-out request, should retain the flexibility to

allow carriers to continue using temporary transaction-specific PINs assigned by the carrier in lieu of account-level

passcodes assigned by customers, as the temporary PIN offers superior protection”); CTIA Comments at 19 (stating

(continued….)

fraud,”

296

and therefore that the responsibility for financial harms that a bad actor may be able to

perpetuate following such fraud is borne by several parties, including, significantly, the bad actor.

Imposing such liability on wireless providers would be inequitable and would reduce the incentives for e-

mail and social media providers, financial institutions, healthcare providers, retail websites, and other

entities that rely on cell phone-based identity authentication to improve their security practices,

as well

as reduce the incentive for customers to act responsibly.

rules is not a safe harbor for wireless providers; customers will still be able to pursue any existing

adopt today—including employee training regarding SIM swap and port-out fraud and restrictions on the

or who have difficulties obtaining relief for frauds that are perpetrated on them because of the provider’s

mandated by the Commission.”

The Commission has full authority to enforce the protections it has

incentivize wireless providers to adopt strong practices to protect customers from SIM swap and port-out

fraud. Nonetheless, we seek comment below on whether the Commission should require providers to

303

Office of Management and Budget (OMB), upon completion of that review, whichever is later. We

conclude that providing six months to achieve compliance with rules that are not subject to OMB review

accounts for the urgency of safeguarding customers from these fraudulent schemes, and will allow

wireless providers to coordinate any updates needed to their systems and processes to comply with the

Safe Connections Act and the rules we adopt to implement that statute.

can result in substantial harm to the customer, including loss of service on their devices. Fraudulent SIM

swaps and port-outs allow bad actors to perpetrate greater fraud by giving them the means to complete

reasons, and given that “providers are simultaneously preparing to come into compliance with the Safe Connections

some wireless providers already use, including account PINs); T-Mobile Comments at 4 (“T-Mobile offers various

customer authentication options, which may vary based on customer, account, and device characteristics.”); Verizon

Comments at 8-9 (describing current authentication measures, including a transaction-specific “Number Transfer

PIN” and notifying customers of port requests via text message and email); CTIA Comments at 3-4 (noting that

some providers already employ multi-factor authentication when account changes are requested).

307

adopting heightened security measures”); CTIA Comments at 3-4 (explaining that some providers notify customers

when a SIM swap is initiated).

block’. . .”); NCTA Comments at 4-5 (“Wireless providers already . . . provid[e] the ability to lock or freeze wireless

accounts.”); CTIA Reply at 26-27 (“[M]any providers already offer account freeze options to their customers.”);

(continued….)

customers about available fraud protection measures,

and port-out fraud,

providers, particularly smaller providers, may need the additional time to upgrade their systems,

implement modifications to their policies and procedures, and conduct new customer service

representative training.

and Order to implement these revisions to our CPNI and number porting rules strikes the right balance

between time for wireless providers to implement these changes and accounting for the urgency of

online resources also inform the customer of what to do if they believe someone has made unauthorized charges to

service agents complete mandatory training, including on fraud prevention, authentication, social engineering,

requiring interconnected VoIP providers and their numbering partners to comply with LNP obligations 30 days after

314

315

these reasons, we require wireless providers to implement the rules we adopt today six months after the

effective date of this Report and Order, subject to review by OMB.

Congress’s mandates to ensure that telecommunications carriers (which include, for purposes of our CPNI

rules, providers of interconnected VoIP service) protect the confidentiality of proprietary information of,

and relating to, customers and to provide number portability in accordance with requirements prescribed

by the Commission. As such, the rules we adopt are well-grounded in our authority in sections 222 and

251, as well as other provisions of the Act.

section 222 authority to ensure such safeguards are in place. Among other things, the Commission’s rules

require carriers to take “reasonable measures to discover and protect against attempts to gain unauthorized

access to CPNI” and to “properly authenticate a customer prior to disclosing CPNI based on customer-

initiated telephone contact, online account access, or an in-store visit.”

Like these safeguards, our

action today “strengthen[s] our privacy rules by adopting additional safeguards to protect customers’

321

accounts, including individually identifiable CPNI.

person engaged in the provision of a service that is a commercial mobile service shall, insofar as such person is so

319

We note that the Commission’s CPNI rules apply not only to telecommunications carriers that are subject to Title II

Title I ancillary jurisdiction to apply CPNI rules to interconnected VoIP service providers); see also 47 CFR §

64.2003(o) (“For the purposes of this subpart, the term ‘telecommunications carrier’ or ‘carrier’ shall include an

entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules.”).

320

321

322

location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications

carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship;

and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received

(continued….)

bad actor can access CPNI such as incoming call information (including the date and time of the call and

number from which the call is made), and gain access to a victim’s account, potentially giving the bad

actor access to other CPNI, like outgoing call history (including numbers called and the location,

frequency, duration, and timing of such calls)

and the victim’s bills and the services purchased by the

victim. And as described above, fraudulent SIM swaps allow bad actors to perpetrate greater fraud by

giving them the means to complete text and voice authentications to access the victim’s other accounts.

advance the protections against unauthorized disclosure of, and access to, individually identifiable CPNI

and other sensitive personal information about customers, and therefore are squarely grounded in the

Commission’s authority under section 222. Our requirement that wireless providers use secure methods

effectuating a SIM change request will help prevent unauthorized disclosure of and access to such

accordance with section 222(c)(1).

requests and inhibit the ability of employees to participate in fraudulent SIM swaps. Employee training

requirements will not only improve their ability to recognize and derail fraudulent SIM change requests,

documentation of fraud involving their accounts will ensure that the harms of SIM swap and port-out

fraud are mitigated when it does occur. And the requirement that wireless providers keep records of data

regarding SIM change requests and the authentication measures they have in place will help ensure that

wireless providers have information they need to measure the effectiveness of their customer

authentication and account protection measures and make informed decisions about how they should be

updated over time.

prevent and address fraudulent SIM changes, and therefore help wireless providers protect against

unauthorized disclosure and access to CPNI. The requirement that wireless providers immediately notify

customers regarding SIM change requests provides added protection by giving customers information

they can use to notify their providers that a fraudulent request has occurred at the time of the request or

by a customer of a carrier; except that such term does not include subscriber list information.” 47 U.S.C. §

325

authorization” of the customer, a customer shall not be considered to have approved the use or disclosure of or

access to (1) call location information concerning the user of a commercial mobile service or (2) automatic crash

notification information of any person other than for use in the operation of an automatic crash notification system.”

shortly thereafter so that the provider can take timely steps to remediate the situation. Requiring wireless

providers to offer customers the option to lock their accounts so that their providers are prohibited from

processing SIM changes gives security-minded customers or those who are at high risk of fraud a tool to

prevent a fraudulent request from being processed in the first instance. Additionally, our new rule that

wireless providers make notice of account protection mechanisms easily accessible via their websites and

applications ensures that customers are aware of these tools. We also conclude that the requirements we

establish to promptly resolve SIM swap and port-out fraud extend from our section 222 authority because

benefit from such protections.

administration in the United States.”

329

Because our new SIM change rules prevent and address misuse of

numbering authority within section 251(e).

332 of the Act to implement the changes to our number porting rules to address port-out fraud. As the

Commission has consistently found since 1996, “[w]e possess independent authority under sections 1, 2,

4(i), and 332 of the Communications Act of 1934, as amended, to require CMRS providers to provide

number portability as we deem appropriate.”

330

number porting rules applicable to wireless providers that address port-out fraud.

Commission under section 251(e)(1) provides ample authority to extend the LNP requirements as set out

telecommunications carriers without distinguishing between customers who subscribe to pre-paid and postpaid

service).

327

328

329

96-98 et al., Second Report and Order and Memorandum Opinion and Order, 11 FCC Rcd 19392, 19512, para. 271

(1996) (Local Competition Second Report and Order) (explaining that by retaining exclusive jurisdiction over

numbering policy the Commission preserves its ability to act flexibly and expeditiously).

Interval Order and FNPRM, 24 FCC Rcd at 6085 n.8; 2007 VoIP LNP Order, 22 FCC Rcd at 19534 n.11.

331

to all facets of numbering administration in the United States.”

number porting rules designed to protect the customers from port-out fraud fit comfortably within our

exclusive numbering authority because the requirements we establish to prevent and promptly resolve

port-out fraud are necessary to address improper use of numbering resources and ensure that customers

can recover their numbers when fraudulent ports have occurred.

335

that allow for fraudulent SIM swaps and number ports are unjust and unreasonable because they are

data security measures under section 5 of the FTC Act.

337

interest through spectrum licensing. Pursuant to section 303(b)’s directive that the Commission must,

consistent with the public interest, “[p]rescribe the nature of the service to be rendered by each class of

333

says: The FCC has rulemaking authority to carry out the ‘provisions of this Act,’” including provisions added by

necessary to carry out the provisions of this chapter.”).

335

336

337

events/topics/protecting-consumer-privacy-security/privacy-security-enforcement (last visited Oct. 18, 2023) (“The

FTC has brought legal actions against organizations that . . . misled [consumers] by failing to maintain security for

338

requirements prescribe the conditions under which licensed wireless providers must provide their

services. They specifically require licensed wireless providers to provide their services in a way that

protects the interests of their customers, including reasonable measures to prevent fraudulent acts against

their customers.

on whether to harmonize the existing requirements governing customer access to CPNI

with the SIM

change authentication and protection measures we adopt today. This Further Notice expands on

questions the Commission asked in the SIM Swap and Port-Out Fraud Notice and several comments in

Port-Out Fraud Notice, the Commission asked “whether any new or revised customer authentication

340

“benefits to providing expanded authentication requirements before providing access to CPNI to someone

(or prohibited) should apply for access to all CPNI, or only in cases where SIM change requests are being

342

SIM change authentication rules we adopt.

These commenters offered several rationales that

potentially support harmonization of these rules, including that: (1) the CPNI authentication requirements

are outdated and therefore vulnerable to fraud;

carriers;

339

best practices”); Verizon Comments at 7 (asserting that “[m]any customer authentication and security tools have

surpassed the effectiveness of [the current CPNI rules for customer authentication]”); FIDO Alliance Comments at 4

(“In general, industry and government are moving away from knowledge-based approaches to authentication (i.e.

passwords).”); Robert Ross Comments at 7 (“[I]n-store authentication is highly susceptible to human error by store

token, passwords can be socially engineered, hacked or stolen, and driver’s licenses and other government-issued ID

cards can be faked.”); but see AT&T Comments at 5 (“Anti-fraud measures developed consistent with the

Commission’s existing authentication requirements protect consumers in most instances.”).

345

authentication standards: (1) telephone access to CPNI, (2) online access to CPNI, (3) in-store access to CPNI, (4)

SIM swaps, and (5) number portability.”); Princeton Comments at 10 (“[A] unified approach will be easier to

implement: carriers need only adopt one compliant customer authentication system for all account access and

operations.”).

adopting more secure measures;

346

existing CPNI authentication requirements could undermine stronger authentication measures for SIM

changes and number ports.

carriers need flexibility to implement more secure authentication measures.

We seek comment on these

justifications.

small carriers, to adjust the CPNI authentication and protection practices they have already implemented

SIM change safeguards, we seek comment on the extent to which the rules should be harmonized. We

seek comment whether to remove the prescriptive authentication requirements in our current CPNI

the identity of a customer prior to disclosing CPNI. We also seek comment on whether to use the same

definition of secure methods of authentication, which are those that are reasonably designed to confirm a

customer’s identity and excluding use of readily available biographical information, account information,

recent payment information, call detail information, or any combination of these factors.

into bad actors’ hands by discouraging carriers from adopting new methods not expressly blessed by the

Commission’s rule, while inhibiting the ability of carriers and other stakeholders to innovate, as necessary and

appropriate, to address evolving threats.”).

347

provides a ‘roadmap’ to bad actors.’ The answer is a resounding yes.”) (footnote omitted).

and nimbly to new threats and to encourage adopting innovative solutions to threats.”); Princeton Comments at 4

(“Authentication methods and security practices continue to evolve, and carriers should be welcome—and

encouraged—to adopt innovative safeguards.”); Somos Comments at 2 (“As with most fraud the telecom industry

suffers, the bad actors are constantly evolving. Solutions should evolve, as well.”); Verizon Comments at 7 (“To

keep ahead of bad actors, providers need flexibility to employ other more secure alternatives to passwords and

government-issued IDs.”); Better Identity Coalition at 4 (“Any regulatory approach that seeks to tie MNOs to using

specific authentication technologies is certain to fail to keep up as threat and security both evolve.”).

351

we seek comment on whether the procedures we require carriers to adopt for responding to failed

authentication attempts in connection with SIM change requests should apply to all other CPNI

authentications as well.

harmonized with any of the other SIM change protections we adopt today. Should the limits on access to

CPNI by employees who receive inbound customer communications prior to authentication of the

customer apply to all telecommunications carriers? Should the CPNI rules only be harmonized to include

some of these measures? If so, which measures should and should not be harmonized and why? Should

353

originally implement the CPNI authentication rules in order to harmonize any of the CPNI rules, and seek

this provision continues to provide us with sufficient authority to harmonize those rules with the SIM

change rules.

are any legal implications for the harmonization approach we propose. For instance, in the 2016

Broadband Privacy Order, the Commission harmonized the CPNI rules for voice providers with those it

had adopted for broadband Internet access service providers,

disapproved rule “in substantially the same form” and from issuing a new rule “that is substantially the

comment on what steps the Commission can take to harmonize government efforts to address SIM swap

and port-out fraud.

authentication practices of other industries.

353

354

355

16-106, Report and Order, 31 FCC Rcd 13911, 13913, para. 3 (2016).

healthcare regulators, on strategies. Other regulators may consider new rules on authentication and steer companies

away from relying on methods that are not suitable given the nature and sensitivity of information or functions being

accessed.”).

359

cryptocurrency companies, text message aggregators) that all play a role in the verification of customer identity.”);

entire ecosystem that includes carriers and subscribers as well as financial institutions, email providers, retail

(continued….)

The Federal Communications Commission amends Parts 52 and 64 of Title 47 of the Code of Federal

Regulations as follows:

PART 52 – NUMBERING

1. The authority citation for part 52 continues to read as follows:

2. Add § 52.37 to subpart C to read as follows:

§ 52.37 Number Portability Requirements for Wireless Providers

(a) Applicability. This section applies to all providers of commercial mobile radio service (CMRS), as

defined in 47 CFR § 20.3, including resellers of wireless service.

(c) Customer notification of port-out requests. Upon receiving a port-out request, and before effectuating

the request, a CMRS provider shall provide immediate notification to the customer that a port-out request

associated with the customer’s account was made, sent in accordance with customer preferences, if

indicated, and using means reasonably designed to reach the customer associated with the account and

clear and concise language that provides sufficient information to effectively inform a customer that a

port-out request involving the customer’s number was made, except if the port-out request was made in

connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and Part 64, Subpart II of

this chapter, regardless of whether the line separation is technically or operationally feasible.

(d) Account locks. A CMRS provider shall offer customers, at no cost, the option to lock their accounts to

prohibit the CMRS provider from processing requests to port the customer’s number. A CMRS provider

reasonable belief that the customer is at high risk of fraud, but must provide the customer with clear

notification that the account lock has been activated with instructions on how the customer can deactivate

the account lock, and promptly comply with the customer’s legitimate request to deactivate the account

lock.

(e) Notice of Account Protection Measures. A CMRS provider must provide customers with notice, using

clear and concise language, of any account protection measures the CMRS provider offers, including

those to prevent port-out fraud. A CMRS provider shall make this notice easily accessible through the

CMRS provider’s website and application.

(f) Employee Training. A CMRS provider shall develop and implement training for employees to

specifically address fraudulent port-out attempts, complaints, and remediation. Training shall include, at

fraud, and how to direct potential victims and individuals making potentially fraudulent requests to

employees specifically trained to handle such incidents.

fraudulent number ports;

involving their accounts.

(h) This section may contain information-collection and/or recordkeeping requirements. Compliance with

any information collection requirements in this section that the Wireline Competition Bureau determines

is required under the Paperwork Reduction Act or the Wireline Competition Bureau determines that such

review is not required. The Commission directs the Wireline Competition Bureau to announce a

compliance date for this section by subsequent Public Notice and to cause this section to be revised

accordingly.

PART 64 – MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

3. The authority citation for part 64 continues to read as follows:

card associated with a device that stores unique information that can be identified to a specific mobile

network.

customer that are reasonably designed to confirm the customer’s identity before executing a SIM change

request, except to the extent otherwise required by 47 U.S.C. § 345 (Safe Connections Act of 2022) or

Part 64, Subpart II of this chapter. Authentication methods shall not rely on readily available biographical

information, account information, recent payment information, or call detail information unless otherwise

permitted under 47 U.S.C. § 345 or Part 64, Subpart II of this chapter. A CMRS provider shall regularly,

but not less than annually, review and, as necessary, update its customer authentication methods to ensure

that its authentication methods continue to be secure. A CMRS provider shall establish safeguards and

64, Subpart II of this chapter.

before effectuating the request, a CMRS provider shall provide immediate notification to the customer

that a SIM change request associated with the customer’s account was made, sent in accordance with

customer preferences, if indicated, and using means reasonably designed to reach the customer associated

with the account and clear and concise language that provides sufficient information to effectively inform

a customer that a SIM change request involving the customer’s SIM was made, except if the SIM change

request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. § 345 and

account, except if the SIM change request was made in connection with a legitimate line separation

must not be unduly burdensome for customers such that it effectively inhibits customers from

implementing their choice. A CMRS provider may activate a SIM change lock on a customer’s account

when the CMRS provider has a reasonable belief that the customer is at high risk of fraud, but must

provide the customer with clear notification that the account lock has been activated with instructions on

how the customer can deactivate the account lock, and promptly comply with the customer’s legitimate

notice, using clear and concise language, of any account protection measures the CMRS provider offers,

including those to prevent SIM swap fraud. A CMRS provider shall make this notice easily-accessible

through the CMRS provider’s website and application.

customers:

fraudulent SIM changes;

changes; and

total number of complaints received regarding fraudulent SIM change requests, the authentication

measures the CMRS provider has implemented, and when those authentication measures change. A

CMRS provider shall provide such data and information to the Commission upon request.

requirements. Compliance with paragraph (h) will not be required until this subparagraph is removed or

contains a compliance date, which will not occur until the later of: i) [INSERT DATE SIX MONTHS

AFTER THE EFFECTIVE DATE OF THIS REPORT AND ORDER]; or ii) after the Office of

Management and Budget completes review of any information collection requirements in paragraph (h)

that the Wireline Competition Bureau determines is required under the Paperwork Reduction Act or the

Wireline Competition Bureau determines that such review is not required. The Commission directs the

Wireline Competition Bureau to announce a compliance date for this paragraph (h) by subsequent Public

Notice and to cause this paragraph to be revised accordingly.

Final Regulatory Flexibility Analysis

1

Regulatory Flexibility Analysis (IRFA) was incorporated into the Protecting Consumers from SIM Swap

and Port-Out Fraud Notice of Proposed Rulemaking (SIM Swap and Port-Out Fraud Notice) released in

September 2021.

2

and Port-Out Fraud Notice, including comment on the IRFA. The comments received are discussed

below. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.

while preserving the relative ease with which customers can obtain legitimate SIM changes and number

ports. Specifically, the Report and Order revises the Commission’s CPNI and LNP rules to require that

number ports. This requirement is reinforced by other rules, including that wireless providers adopt

prevent and address fraudulent SIM changes and number ports, including requiring that wireless providers

notify customers regarding SIM change and port-out requests, offer customers the option to lock their

accounts to block processing of SIM changes and number ports, and give advanced notice of available

account protection mechanisms. Additionally, the Report and Order establishes requirements to

minimize the harms of SIM swap and port-out fraud when it occurs, including requiring wireless

providers to maintain a clear process for customers to report fraud, promptly investigate and remediate

fraud, and promptly provide customers with documentation of fraud involving their accounts. Finally, to

1

5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, has been amended by the Small Business Regulatory

Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996).

2

SIM Swap and Port-Out Fraud Notice, 36 FCC Rcd at 14152-14161, para. 6., Appx. B.

3

5 U.S.C. § 604.

4

FCC, Port-Out Fraud Targets Your Private Accounts, https://www.fcc.gov/port-out-fraud-targets-your-private-

potential impact of rules on small carriers. The Competitive Carriers Association (CCA) advocated that

the Commission adopt security measures that give providers flexibility to account for the constraints with

which many small providers operate.

The Rural Wireless Association (RWA) called for uniform

standards for port-out authentication to prevent potential anticompetitive activities and increased costs for

small providers in the event that larger providers hold small providers to standards that are difficult or

costly to implement.

baseline requirements that build on existing mechanisms that many wireless providers already use to

Administration

Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the

Apply

organization,” and “small governmental jurisdiction.”

same meaning as the term “small business concern” under the Small Business Act.

concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of

operation; and (3) satisfies any additional criteria established by the SBA.

the outset, three broad groups of small entities that could be directly affected herein.

are industry specific size standards for small businesses that are used in the regulatory flexibility analysis,

according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a

small business is an independent business having fewer than 500 employees.

13

These types of small

5

See CCA Comments at 6.

6

See RWA Comments at 12-14.

businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million

businesses.

electronic filing requirements for small exempt organizations.

Nationwide, for tax year 2020, there

were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less

according to the registration and tax data for exempt organizations available from the IRS.

districts, with a population of less than fifty thousand.”

U.S. Census Bureau data from the 2017 Census

19

exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO

Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast

18

5 U.S.C. § 601(5).

ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs-

surveys/cog/about.html.

20

U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and

State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local

less than 50,000 and 12,040 special purpose governments—independent school districts

23

with enrollment

populations of less than 50,000.

estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.”

1. Providers of Telecommunications and Other Services

wired communications networks.

combination of technologies. Establishments in this industry use the wired telecommunications network

VoIP services, wired (cable) audio and video programming distribution, and wired broadband Internet

and infrastructure that they operate are included in this industry.

in the provision of fixed local services.

providers have 1,500 or fewer employees.

34

most of these providers can be considered small entities.

size standard for small businesses specifically applicable to local exchange services. Providers of these

services include both incumbent and competitive local exchange service providers. Wired

Telecommunications Carriers

35

is the closest industry with an SBA small business size standard.

Wired

Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers.

The SBA small business size standard for Wired Telecommunications Carriers classifies firms having

40

service providers.

can be considered small entities.

36

13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111).

37

Fixed Local Exchange Service Providers include the following types of providers: Incumbent Local Exchange

Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs),

Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service

Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers.

38

13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111).

39

meet the SBA size standard.

41

Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022),

https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf.

43

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,”

https://www.census.gov/naics/?input=517311&year=2017&details=517311.

45

in this industry that operated for the entire year.

46

250 employees.

47

Report, as of December 31, 2021, there were 1,212 providers that reported they were incumbent local

exchange service providers.

1,500 or fewer employees.

49

Commission estimates that the majority of incumbent local exchange carriers can be considered small

entities.

the SBA has developed a size standard for small businesses specifically applicable to local exchange

54

Monitoring Report, as of December 31, 2021, there were 3,378 providers that reported they were

competitive local exchange service providers.

providers have 1,500 or fewer employees.

56

most of these providers can be considered small entities.

small business size standard specifically for Interexchange Carriers. Wired Telecommunications

46

U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for

the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311,

Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022),

https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf.

49

Id.

50

Competitive Local Exchange Service Providers include the following types of providers: Competitive Access

Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP

Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers,

Local Resellers, and Other Local Service Providers.

51

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,”

https://www.census.gov/naics/?input=517311&year=2017&details=517311.

https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie

55

Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022),

56

Id.

wireless providers to use existing methods of notification that are reasonably designed to reach the

affected customer. Several of our rules build on existing mechanisms that many wireless providers

already use, and therefore, we expect that our new rules will further minimize the costs and burdens for

those providers, and should significantly reduce compliance requirements for small entities that may have

smaller staff and fewer resources.

providers already have in place some of the policies and procedures this Report and Order adopts and that

in a given circumstance. The Report and Order further minimizes any potential burdens of customer

notifications by declining to prescribe particular content and wording and giving wireless providers

flexibility on how to deliver such notifications. Similarly, for customer notices, the Report and Order

1

Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant

economic impact on a substantial number of small entities by the policies and rules proposed in the

Protecting Consumers from SIM Swap and Port-Out Fraud Further Notice of Proposed Rulemaking

(Further Notice). Written comments are requested on this IRFA. Comments must be identified as

responses to the IRFA and must be filed by the deadlines for comments on the Further Notice provided

of authenticating a customer before redirecting a customer’s phone number to a new device or provider.

requirements governing customer access to CPNI

4

with the SIM change authentication and protection

the record, or any other justifications, provide a rationale for harmonizing the existing CPNI rules with

the customer protection measures adopted in the Report and Order, as well as any reasons why the

Commission should not harmonize its existing CPNI rules with the SIM swap fraud protection measures

adopted in the Report and Order.

customer notification, or require notification only in instances of multiple failed attempts or when there is

reasonable suspicion of fraud.

332 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154, 201, 222, 251, 303(r), and

332.

5 U.S.C. § 603(b)(3).

8

15 U.S.C. § 632.

11

Id.

define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number of

small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt

Organizations – Form 990-N (e-Postcard), “Who must file,” https://www.irs.gov/charities-non-profits/annual-

electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data

were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less

according to the registration and tax data for exempt organizations available from the IRS.

of Governments

purpose governments and special purpose governments in the United States.

Of this number, there were

36,931 general purpose governments (county,

) with populations of

estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.”

State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local

19

Id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017

category.

(continued….)

1. Providers of Telecommunications and Other Services

wired communications networks.

facilities that they operate to provide a variety of services, such as wired telephony services, including

VoIP services, wired (cable) audio and video programming distribution, and wired broadband Internet

services.

By exception, establishments providing satellite television distribution services using facilities

and infrastructure that they operate are included in this industry.

size standard for small businesses specifically applicable to local exchange services. Providers of these

services include both incumbent and competitive local exchange service providers. Wired

25

Id.

Audio Bridge Service Providers, and Other Local Service Providers. Local Resellers fall into another U.S. Census

Bureau industry group and therefore data for these providers is not included in this industry.

27

13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111).

28

U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for

29

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that

meet the SBA size standard.