On November 16, 2023, the Federal Communications Commission ("FCC" or "Commission") released a Report and Order and Further Notice of Proposed Rulemaking ("Order and FNPRM") revising the FCC's Customer Proprietary Network Information ("CPNI") and Local Number Portability ("LNP") rules to protect against fraudulent transfers (or "swaps") of accounts associated with one subscriber identity module ("SIM") in an existing customer's mobile device to a bad actor's device ("SIM swap"). The revised rules also address "port-out" fraud where a subscriber's mobile device service number is fraudulently transferred to a bad actor's mobile device.

The Order adds new provisions to the current CPNI and LNP rules requiring wireless providers to offer additional protections for customers against these specific fraudulent practices with more strict authentication and notice requirements. The final version of the amendments to the rules differed from those included in the draft Order and FNPRM circulated ahead of the Commission's Open Meeting on November 15, 2023, moving to the FNPRM proposals that would require customer notification in cases of failed customer authentication for SIM swap requests and expand the limits on employee access to CPNI to apply to all providers of telecommunications services, rather than just wireless providers.

SIM Swaps and Port-Out Fraud

SIM swapping and number porting provide significant benefits by allowing customers to keep their phone numbers, call detail, and other account information when replacing a mobile device or switching wireless providers. However, SIM swap fraud occurs when a bad actor transfers a customer's SIM to a mobile device in the bad actor's possession by convincing the customer's wireless provider to transfer the service from the customer's device to the bad actor's device. Port-out fraud occurs when the bad actor, posing as the customer, opens an account with a carrier other than the customer's current carrier and then transfers the customer's number (i.e., "ports" the number) to the new fraudulent account. Once a fraudulent SIM swap or port-out request has been completed, the bad actor can intercept text messages and phone calls associated with the customer's financial, social media, and other accounts, and then the bad actor would be able to change login credentials and passwords, obtain sensitive information, access and transfer funds from financial and cryptocurrency accounts, and sell or ransom social media accounts.

The Commission proposed new CPNI and LNP rules in its September 2021 Notice of Proposed Rulemaking, which sought comment on ways to eliminate SIM swap and port-out fraud after determining that the existing CPNI rules did not adequately protect customers from these kind of scams. In June 2023, Chairwoman Rosenworcel launched the new Privacy and Data Protection Task Force to focus on customer protection and data privacy, with the first action of the Task Force being the announcement that the Commission had circulated a draft of these scam protection rules.

Report and Order

The Order adopted the proposal to define "SIM" as "a physical or virtual card associated with a device that stores unique information that can be identified to a specific mobile network." SIM changes historically occurred by removing a physical SIM card from an old phone and placing it in the customer's new phone. Now wireless providers virtually reassign embedded, electronic SIMs, or eSIMs, in modern phones from an old phone to a new one. This has facilitated the practice of bad actors impersonating a wireless provider's customer when calling customer service and convincing the provider to reassign the eSIM card to the bad actor's device, a practice commonly known now as "SIM swap fraud." Port-out fraud occurs similarly when the bad actor impersonates a wireless provider's customer and when calling customer service convinces the provider to port the real customer's telephone number to a device that the bad actor controls that is serviced by a different wireless provider.

In order to minimize SIM swap and port-out fraud, the Order specifically revises the CPNI and LNP rules to require new authentication and notice procedures that wireless providers must follow. By refraining from requiring providers to use specific methods for authentication, as initially proposed in the 2021 NPRM, the Commission is allowing providers flexibility in meeting these obligations and determining which fraud protection measures will work best to securely authenticate and protect their customers, while leaving room for innovation in technology and security practices. Overall, online access to CPNI using the carrier's website or an app requires customers to create and use a password, but in prior orders the FCC did not mandate any specific format, length, or mix of numerals, letters, or other symbols for passwords. Notwithstanding, the FCC "expect[s] carriers to ensure that online access to CPNI is adequately password protected."

  1. Strengthening CPNI Rules to Specifically Address SIM Swaps

    The Order updates the current CPNI rules to reduce SIM swap fraud by requiring providers to use secure methods to authenticate customers prior to any SIM changes and provide alternative forms of notice to alert the customer of significant account changes.

    • Customer Authentication Requirements – The Order requires wireless providers to implement procedures to address failed customer authentication attempts and to notify customers of any SIM Change requests prior to effectuating a SIM change. The Commission concludes that methods using readily available biographical information, account information, recent payment information, and call detail information are not secure methods of authentication for SIM swaps but declines to specify particular methods that providers must use for authentication. Although the Commission had proposed that providers choose from four specific authentication methods in the original NPRM, the FCC now concludes that "specifying approved authentication methods may incentivize wireless providers to rely exclusively on those methods or discourage them from adopting new methods to address evolving techniques used by bad actors." And while the FCC held that relying on recent payment and call detail information to authenticate customers for SIM swaps would not be allowed, it did not amend the rules to prohibit reliance on recent payment and call detail information to authenticate customers for online, telephone, or in-person access to CPNI. And while SMS-based authentication is permissible, the Commission encourages providers to only use SMS authentication when paired with other secure methods like multi-factor authentication. Providers are required to regularly review their authentication methods at least annually and update methods as necessary to make sure they remain effective.
    • Response to Failed Authentication Attempts – The FCC's circulated draft of the Order would have required wireless providers to immediately notify customers of failed authentication attempts in connection with SIM change requests, but the Commission declined to adopt this rule. Instead, the FCC seeks further comment on this proposal on whether only wireless providers or all telecommunications carriers (including VoIP providers) should be required to implement immediate customer notification of all failed authentication attempts, whether to permit carriers to employ reasonable risk assessment techniques to determine when failed authentication attempts require customer notification, or only require notification after multiple failed attempts or when there is a reasonable suspicion of fraud. Wireless providers are, however, required to develop, maintain, and implement procedures for responding to failed authentication attempts that are "reasonably designed" to prevent unauthorized access to customer accounts.
    • Customer Notification of SIM Change Requests – Wireless providers are required to immediately notify customers of any requests for a SIM swap associated with a customer's account. Notifications must be sent before a provider effectuates the SIM change (to prevent the notification from being sent to the bad actor after a SIM swap has occurred), and similarly must be "reasonably designed" to reach the customer using "clear and concise language." Notably, this rule differs from the rule on CPNI notifications, which requires notification via carrier-originated voicemail or text "whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed." More to the point, bad actors may attempt to commit SIM swap fraud by claiming that a device is lost or stolen, so there is a greater need to ensure customers are provided prompt notification of a SIM change request. The new rules provide a flexible approach enabling wireless providers to use methods of notification that are most likely to reach the customer under those circumstances, such as an email or a text or call to a pre-determined back-up phone number instead of delaying SIM changes for 24 hours in the event of any SIM change or failed authentication attempts as had been put out for comment in the original NPRM. "The record reflects that strict requirements involving 24-hour delays or account locks could be overly burdensome for customers that are engaged in legitimate SIM changes."
    • Account Locks for SIM Changes – Wireless providers are required to offer to all customers at no cost the option to lock or freeze their account to stop SIM changes. Providers again are afforded flexibility in how to implement this feature, but the process for activation and deactivation must not be overly burdensome or complicated for customers. Providers may also proactively initiate a SIM swap lock on a customer's account if fraud is suspected but must first provide clear notification to the customer of the suspected fraud and account lock information if they choose to do so. Providers are required to offer account lock features to both prepaid and post-paid services customers. Since these features are optional, the FCC explains that providers can require pre-paid services customers to provide certain information to authenticate and enable account lock features, if necessary.
    • Tracking Effectiveness of SIM Change Protection Measures – Wireless providers are required to collect and maintain data relating to customers' SIM change requests and customer authentication. Specifically, providers must collect and maintain information on: the total number of SIM change requests; the number of successful, failed, and fraudulent SIM change requests; the average time to remediate a fraudulent SIM change; the total number of complaints received regarding fraudulent SIM changes; the authentication measures implemented; and when authentication measures are changed. Information must be retained for three years, although there are no reporting or audit requirements associated with these collection requirements.
    • Safeguards on Employee Access to CPNI – Wireless providers are required to establish safeguards and processes to ensure that employees who receive inbound customer communications are unable to access CPNI during the customer interaction until after a customer has been properly authenticated. The circulated draft version of the Order initially applied this requirement to all telecommunications providers and to all employees who interact directly with customers, rather than limited to only those who receive inbound customer communications, but the FCC instead seeks comment in the FNPRM on whether the employee access provisions should expand beyond wireless providers to include all telecommunications providers.
  2. Strengthening Number Porting Rules

    The Order updates the LNP rules to strengthen customer protection against fraudulent number porting.

    • Customer Authentication Requirements – Similar to the above SIM swap rules, wireless providers are required to use secure methods "reasonably designed" to confirm a customer's identity before completing a port-out request. However, the Commission clarifies that these authentication measures for port-out requests must accommodate the needs of all customers with differing devices or varying degrees of technological literacy, so multiple authentication methods may be necessary to effectively serve all customers who may require alternative solutions for identification and authentication.
    • Customer Notification of Port-Out Requests – Wireless providers are required to immediately notify a customer whenever a port-out request is made, and notice must be sent before a port-out is completed. The FCC "decline[d] to prescribe particular methods for providing port-out notifications or particular content and wording for these notifications, but [did] require that the notification methods be reasonably designed to reach the customer associated with the account and that the content and wording use clear and concise language that provides sufficient information to effectively inform a customer that a port-out request involving the customer's number was made." Providers may send notifications in accordance with any indicated customer preferences.
    • Account Locks – As with SIM swaps, wireless providers are required to offer both pre-paid and post-paid customers the same option to lock or freeze their account to stop any port-out requests at no cost to the customer.
  3. Additional Consumer Protection Measures

Beyond the rules outlined for SIM swaps and port-outs, the Order adopts additional requirements for wireless providers to improve customer protection measures. The Commission requires that wireless providers inform customers of any account protection measures that are offered by the provider, train company customer service representatives to identify and report bad actors, implement a transparent process for customers to report and receive documentation of any instances of SIM swap or port-out fraud, and promptly investigate and remediate any instances of fraud.

Further Notice of Proposed Rulemaking

Moving forward, the FNPRM seeks comment on whether to harmonize the existing CPNI access framework with the SIM change authentication rules adopted in the Order and seeks comment on any specific actions or measures for consideration in aligning these two frameworks. Expanding on the draft Order's proposals that were moved to the FNPRM, the Commission seeks comment on whether it should require wireless providers to immediately notify customers in the event of failed authentication attempts to obtain access to CPNI and, further, if it should expand this notification requirement to all telecommunications providers, even though the risk of harm from unauthorized access to CPNI is lower than from SIM swap or port-out fraud. As initially proposed, the FCC tentatively concludes that notifications should be reasonably designed to reach the customer but would allow wireless providers to determine the delivery method and content of customer notifications. The Commission asks at what point notifications of failed authentication should be required, proposing either in instances of multiple failed attempts or a reasonable suspicion of fraud or, alternatively, leave the threshold for notification for the carrier to decide.

The FNPRM also inquires whether the limits on wireless providers employees' access to CPNI should be expanded to include all telecommunications carriers' employees, as initially proposed in the circulated draft Order. Among other inquiries, the FNPRM seeks comment on how the Commission can help harmonize other government regulators' efforts to address the broader implications of SIM swap and port-out fraud that impacts financial institutions, healthcare providers, cryptocurrency companies, retail websites, and social media companies, and asks if there are other customer protection measures that have yet to be considered, such as requiring wireless providers to explicitly exclude resolution of SIM change and port-out fraud disputes from arbitration clauses and whether any proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility.

Implementation Timeframe

All wireless providers are required to comply with the adopted rules six months after the effective date of the Order or for certain requirements requiring OMB approval, the time frame identified in such approval, whichever is later. The Commission declined to adopt benchmark timeframes or extended timelines for smaller carriers to comply with the Order's requirements, finding that an aggressive implementation timeframe is appropriate given the risk of harm to all customers resulting from fraudulent practices. Comments on the FNPRM will be due 30 days after publication in the Federal Register with reply comments due 60 days after publication.