Free Demo
  • Linkedin
  • Twitter
  • Youtube
Contact Us

Connect with a Daon solutions expert

Let us know how we can assist you

  • Product/Solution Information
  • Product Demonstration
  • Request for Proposal
  • Partnership Opportunities

See why many of the world’s strongest brands chose Daon to help them build lasting trust with their customers.

FCC 23 95A: Everything Telcos Need to Know About New Regulations

by Bob Long, President, Americas
March 7, 2024

The FCC (Federal Communications Commission) in the U.S. recently published and amended its rules governing the responsibilities of telecommunications organizations to protect customer security and create a competitive market.

FCC 23 95A, a new set of rules set forth to both edit and clarify the responsibilities of telco service providers, aims to find the balance between customer protection and customer access. The rules focus on requirements and desired outcomes while avoiding prescriptive language around specific security mechanisms or technology to provide flexibility in implementation. As both security and fraud techniques and technology evolve, these FCC telco policies will follow an aggressive, 6-month implementation timeline (currently negotiated to July 2024).

Originally published in November 2023, FCC 23 95A brings consistency to the minimum security practices required across service providers and clarity for customers with (warranted) particular expectations. Although some service providers may already have implemented many of the rules, having a formal regulatory statement is intended to bring consistency across the market.

It’s important to understand prior FCC telco regulations to best grasp where these new rules will take providers, 3rd parties, and customers in the immediate future – and the type of security technology organizations will need to remain compliant with FCC 23 95A. Failure to adapt to these changes could result in obsolescence.

Stepping Stones: Previous FCC Teleco Rules

Customer accessibility is critical for both the safety of telco customers (and their data) and for building a competitive landscape where users can exercise choice when it comes to picking a service provider.

It’s critical that the type of access required to initiate account porting processes allows for the protection of individuals who need to separate their access from that of the telco account owner, whether for personal safety or legal reasons.

Unauthorized SIM-swap and port-out fraud can create a domino effect that exposes the customer’s personal data, or worse, it can create a breach that could be used to gain unauthorized access to the rest of that person’s digital world–their bank accounts, credit cards, social media, personal documents, and even health records.

FCC data breach rules have been implemented that speak to these concerns.

Local Number Portability (LNP)

Providers must allow users to take their phone number with them to a new telco provider. This rule is a great feature for encouraging customer choice and competition but is challenging where security is concerned. As processes and security checks are added to interactions, this FCC telecom policy mandates that they must not be abused for customer lock-in.

Customer Proprietary Network Information (CPNI)

Protecting customer privacy is a key responsibility for providers, and this rule provides guidance on when – and with whom – data can be shared.

As the FCC moves forward with 23 95A, six key requirements of the new FCC rules, broken down below, are critical for telco providers to understand so that organizations can prepare accordingly for the fast-approaching July 2024 implementation date.

1. SCA (Strong Customer Authentication)

  • Providers must implement SCA to protect all SIM-swap and port-out processes – and all types of accounts (pre-paid, post-paid, etc.)
  • Multi-factor authentication (MFA) is recommended, but ultimately the choice is left to the discretion of the provider.
  • Providers are not required to notify customers of failed authentication attempts, but it’s recommended that they’re part of the risk analysis process.

How Daon Can Help

Daon’s authentication solution, xAuth™, provides MFA across all channels, including in-person, call center, and online (mobile/web). Strong authentication is guided by risk analysis, customer context, and policy to provide convenient, secure customer experiences that quickly authenticate genuine users and keep fraudsters at bay through proprietary technology and liveness detection. Daon’s solution even provides audit and transaction data to aid in fraud investigations.

2. Customer Notifications of Changes

  • Providers must use appropriate channels and timely delivery to inform customers of any service changes so that the customer can respond in kind.

How Daon Can Help

The orchestration capabilities of TrustX® can help with negotiating callouts to backend notification services to manage multi-step processes. Providers can create new or edit pre-defined, best-practice workflows via no-code, drag-and-drop functionality.

An optimized rules engine and real-time testing offer the tools and knowledge to make process adjustments on the fly–all with no development required.

3. Account Lock Feature

  • All providers must provide this for all types of accounts.
  • Feature may be activated automatically by the provider due to detection of perceived risk–with notification to the customer.
  • Providers must provide consistent messaging and assistance for customers to activate/deactivate the feature.
  • The feature must not be used to block anti-competitive account porting.

How Daon Can Help

Daon’s authentication solutions can provide the appropriate step-up authentication needed for critical, high-consequence transactions (like SIM-swapping or changing providers). xFace offers highly secure, biometrics-backed step-up authentication that can be implemented on any smartphone with a camera built-in 2010 or later, providing the most enhanced security possible to a majority of the telco market’s customer base.

xAuth™ allows providers to add additional security factors for step-up authentication, go passwordless to eliminate security concerns with passwords, or even implement standards-based FIDO UAF and FIDO2-certified biometric authenticators as an MFA factor for industry-leading security.

4. Tracking Effectiveness of SIM Change Protection Measures

  • Providers must keep audit reports for three years (going forward) and make them available to the FCC.

How Daon Can Help

TrustX® provides built-in reporting so providers can understand every aspect of their customer’s identity journey via the workflow analytics dashboard. Leverage insights derived from visibility, ranging from global benchmarks to individual, customer-level data, to optimize processes. Audit and transaction data are covered in this type of ongoing reporting offered by TrustX.

5. Customer Fraud Reporting and Remediation Processes

  • Providers must have a clear process to help customers report fraud and recover access to their accounts.

How Daon Can Help

The built-in reporting capabilities of TrustX® keep audit and transaction data at a provider’s fingertips to aid in fraud investigations. With a focus on compliance, TrustX enables control over the geographic region in which data is processed and stored and the management of identities across multiple regions. The workflow analytics dashboard makes processing data simple yet secure.

6. Safeguards on Employee Access to CPNI

  • Employees should only have full access to CPNI data after the customer is authenticated.

How Daon Can Help

Daon adheres to FCC CPNI rules by providing call center solutions that automate authentication at both the device- and user-level, allowing providers to feel confident that customers have been securely authenticated and that any risk assessments performed before the customer is connected to their representative are thorough and compliant. xVoice™ can authenticate any customer, anywhere–in seconds.

It helps providers keep fraudsters out with advanced anti-spoofing technology powered by AI and machine-learning algorithms trained to detect synthetic speech and voice replay. xVoice is built to integrate seamlessly with existing IVR, offering passive registration and authentication for little to no customer friction, and also supports multi-factor authentication for high-value transactions.

The Future, the FCC, and The Force of Technology

As FCC 23 95A approaches its implementation deadline in July 2024, telcos across the U.S. are tasked with getting on board or otherwise risking a complete loss of competitiveness in the industry. Technology adoption will be critical to remaining compliant with the FCC’s current and future policies; these regulations are both a great impetus for organizations to embrace modern digital identity solutions and potentially a creator of a leveling playing field that encourages healthy competition for market share.

Daon is the identity partner–not just a provider–of choice for telcos around the world and at home in the States. Learn more about how we can help your business get up to speed with the future of telecom tech.