This is to remind our clients that the Federal Communications Commission (FCC) requires every telecommunications and interconnected VoIP service provider (including wireless, cable telephony, and even paging and calling card providers) to execute and file an annual officer certification that it is in compliance with the FCC's Customer Proprietary Network Information (CPNI) regulations.
The annual certification for calendar year 2013 must be filed with the FCC by March 3, 2014.
A new FCC Enforcement Advisory on the subject, issued on Feb. 5, 2014, can be found here.
The FCC has issued periodic reminders that service providers that failure to comply with the CPNI rules and to file the required annual certification on time could subject violators to penalties of up to $1.5 million. This is no empty threat: the FCC has taken action against thousands of providers, and the mere failure to file an annual certification has resulted in penalties of up to $100,000. In addition, AT&T paid $200,000 to settle an FCC action arising from deficiencies in its CPNI “opt-out” mechanisms (i.e, the methods through which customers can inform the service provider that it may not use their subscriber records for marketing purposes). We would be happy to provide details or assist you with a review of your opt-out procedures to assure compliance. As a refresher, following is a brief overview of key elements of the FCC's CPNI annual certification requirements. Note that all of this information must pertain to the past calendar year (2013):
- An officer of the company must sign the compliance certificate;
- The officer must affirmatively state in the certification that s/he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- The company must provide a written statement accompanying the certification explaining in detail how its operating procedures ensure that it is in compliance with the CPNI rules;
- The company must include a clear explanation of any actions taken against data brokers;
- The company must include a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or a clear statement that there were no such complaints; and
- The company must report any information in its possession regarding the processes that "pretexters" are using to attempt to gain access to CPNI, and what steps it is taking to safeguard customers' CPNI.
Importantly, in order to truthfully certify to these matters and provide the required information, a service provider must actually have an effective CPNI compliance program in operation. We have assisted many clients in the creation and implementation of CPNI compliance programs and employee training materials. We have also successfully defended clients against FCC enforcement actions, in many cases obtaining “no fault” settlements involving payments at a small fraction of the original FCC proposal, and in others obtaining outright withdrawal of FCC allegations of rule violations.