Protecting Consumers From SIM-Swap and Port-Out Fraud
| Published date | 14 December 2023 |
| FR Document | 2023-26701 |
| Citation | 88 FR 86614 |
| Pages | 86614-86621 |
| Section | Proposed rules |
| Issuer | Federal Communications Commission |
Federal Register, Volume 88 Issue 239 (Thursday, December 14, 2023)
[Federal Register Volume 88, Number 239 (Thursday, December 14, 2023)]
[Proposed Rules]
[Pages 86614-86621]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-26701]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[WC Docket No. 21-341; FCC 23-95, FR ID 186836]
Protecting Consumers From SIM-Swap and Port-Out Fraud
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
adopted a Further Notice of Proposed Rulemaking (FNPRM) that seeks
comment on whether to harmonize the existing requirements governing
customer access to Customer Proprietary Network Information (CPNI) with
the new Subscriber Identity Module (SIM) change authentication and
protection measures that the Commission adopted; whether limitations on
employee access to CPNI prior to customer authentication should be
extended to all telecommunications carriers; what steps the Commission
can take to harmonize government efforts to address SIM swap and port-
out fraud; and how providers should notify customers of failed
authentication attempts.
DATES: Comments are due on or before January 16, 2024, and reply
comments are due on or before February 12, 2024. Written comments on
the Paperwork Reduction Act proposed information collection
requirements must be submitted by the public and other interested
parties on or before February 12, 2024.
ADDRESSES: You may submit comments, identified by WC Docket No. 21-341,
by any of the following methods:
[ssquf] Federal Communications Commission's website: https://
[[Page 86615]]
apps.fcc.gov/ecfs/. Follow the instructions for submitting comments.
[ssquf] People with Disabilities: Contact the FCC to request
reasonable accommodations (accessible format documents, sign language
interpreters, CART, etc.) by email: [email protected] or phone: 202-418-
0530 or TTY: 202-418-0432.
For detailed instructions for submitting comments and additional
information on the rulemaking process, see the SUPPLEMENTARY
INFORMATION section of this document. In addition to filing comments
with the Office of the Secretary, a copy of any comments on the
Paperwork Reduction Act information collection requirements contained
herein should be submitted to Nicole Ongele, Federal Communications
Commission, 45 L Street SW, Washington, DC 20554, or send an email to
[email protected].
FOR FURTHER INFORMATION CONTACT: For further information, contact
Melissa Kirkel at [email protected] or (202) 418-7958. For
additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, send an
email to [email protected] or contact Nicole Ongele, [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's
Further Notice of Proposed Rulemaking in WC Docket No. 21-341, FCC 23-
95, adopted on November 15, 2023 and released on November 16, 2023. The
full text of the document is available on the Commission's website at
https://docs.fcc.gov/public/attachments/FCC-23-95A1.pdf. The Providing
Accountability Through Transparency Act, Public Law 118-9, requires
each agency, in providing notice of a rulemaking, to post online a
brief plain-language summary of the proposed rule. The required summary
of this FNPRM is available at https://www.fcc.gov/proposed-rulemakings.
To request materials in accessible formats for people with disabilities
(e.g. braille, large print, electronic files, audio format, etc.), send
an email to [email protected] or call the Consumer & Governmental Affairs
Bureau at (202) 418-0530 (voice).
Paperwork Reduction Act
The FNPRM may contain new or modified information collection(s)
subject to the Paperwork Reduction Act of 1995. All such new or
modified information collection requirements will be submitted to OMB
for review under section 3507(d) of the PRA. OMB, the general public,
and other Federal agencies are invited to comment on any new or
modified information collection requirements contained in this
proceeding. In addition, pursuant to the Small Business Paperwork
Relief Act of 2002, we seek specific comment on how we might ``further
reduce the information collection burden for small business concerns
with fewer than 25 employees.''
Comments should address: (a) whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission's burden estimates; (c)
ways to enhance the quality, utility, and clarity of the information
collected; (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated
collection techniques or other forms of information technology; and (e)
way to further reduce the information collection burden on small
business concerns with fewer than 25 employees. In addition, pursuant
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might
further reduce the information collection burden for small business
concerns with fewer than 25 employees.
Regulatory Flexibility Act
The Regulatory Flexibility Act of 1980, as amended (RFA) requires
that an agency prepare a regulatory flexibility analysis for notice and
comment rulemakings, unless the agency certifies that ``the rule will
not, if promulgated, have a significant economic impact on a
substantial number of small entities.'' Accordingly, the Commission has
prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning
the potential impact of rule and policy change proposals in the FNPRM
on small entities. Written public comments are requested on the IRFA.
Comments must be filed by the deadlines for comments on the FNPRM
indicated on the first page of this document and must have a separate
and distinct heading designating them as responses to the IRFA.
Ex Parte Presentations
The proceeding shall be treated as a ``permit-but-disclose''
proceeding in accordance with the Commission's ex parte rules. Persons
making ex parte presentations must file a copy of any written
presentation or a memorandum summarizing any oral presentation within
two business days after the presentation (unless a different deadline
applicable to the Sunshine period applies). Persons making oral ex
parte presentations are reminded that memoranda summarizing the
presentation must: (1) list all persons attending or otherwise
participating in the meeting at which the ex parte presentation was
made, and (2) summarize all data presented and arguments made during
the presentation. If the presentation consisted in whole or in part of
the presentation of data or arguments already reflected in the
presenter's written comments, memoranda or other filings in the
proceeding, the presenter may provide citations to such data or
arguments in his or her prior comments, memoranda, or other filings
(specifying the relevant page and/or paragraph numbers where such data
or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with rule 1.1206(b). In proceedings governed by
rule 1.49(f) or for which the Commission has made available a method of
electronic filing, written ex parte presentations and memoranda
summarizing oral ex parte presentations, and all attachments thereto,
must be filed through the electronic comment filing system available
for that proceeding, and must be filed in their native format (e.g.,
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding
should familiarize themselves with the Commission's ex parte rules.
Comment Period and Filing Procedures
Pursuant to sections 1.415 and 1.419 of the Commission's rules, 47
CFR 1.415, 1.419, interested parties may file comments and reply
comments on or before the dates indicated on the first page of this
document. Comments may be filed using the Commission's Electronic
Comment Filing System (ECFS) or by paper. Commenters should refer to WC
Docket No. 21-341 when filing in response to this FNPRM.
Electronic Filers: Comments may be filed electronically by
accessing ECFS at https://www.fcc.gov/ecfs.
Paper Filers: Parties who choose to file by paper must
file an original and one copy of each filing. Paper filings can be sent
by commercial overnight courier, or by first-class or overnight U.S.
Postal Service mail.
Effective March 19, 2020, and until further notice, the
Commission no longer accepts any hand or messenger delivered filings.
[[Page 86616]]
Commercial overnight mail (other than U.S. Postal Service
Express Mail and Priority Mail) must be sent to 9050 Junction Drive,
Annapolis Junction, MD 20701.
U.S. Postal Service first-class, Express, and Priority Mail must be
addressed to 45 L Street NE, Washington, DC 20554.
People with Disabilities: To request materials in accessible
formats for people with disabilities (braille, large print, electronic
files, audio format), send an email to [email protected] or call the
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).
Synopsis
1. Harmonizing the CPNI Safeguards Rules. In this FNPRM, we first
seek comment on whether to harmonize the existing requirements
governing customer access to CPNI with the SIM change authentication
and protection measures we adopt. This FNPRM expands on questions the
Commission asked in the SIM Swap and Port-Out Fraud Notice and several
comments in the record, but seeks more targeted feedback on a specific
approach. In particular, in the SIM Swap and Port-Out Fraud Notice, the
Commission asked ``whether any new or revised customer authentication
measures . . . would offer benefits for all purposes.'' The Commission
also asked whether there are ``benefits to providing expanded
authentication requirements before providing access to CPNI to someone
claiming to be a carrier's customer,'' as well as ``whether any
heightened authentication measures required (or prohibited) should
apply for access to all CPNI, or only in cases where SIM change
requests are being made.'' Additionally, the Commission proposed to add
a prohibition on the use of recent payment and call detail information
to authenticate customers for online access to CPNI.
2. Several commenters suggested that we harmonize our CPNI
authentication rules with the SIM change authentication rules we adopt.
These commenters offered several rationales that potentially support
harmonization of these rules, including that: (1) The CPNI
authentication requirements are outdated and therefore vulnerable to
fraud; (2) inconsistent rules are more burdensome on carriers; (3) some
carriers default to specified authentication measures and are
disincentivized from adopting more secure measures; (4) a prescribed
list provides a road map for bad actors; and (5) the existing CPNI
authentication requirements could undermine stronger authentication
measures for SIM changes and number ports. Harmonization also would be
consistent with commenters' assertions that carriers need flexibility
to implement more secure authentication measures. We seek comment on
these justifications.
3. We also seek comment on other potential justifications for
harmonization. For instance, we tentatively conclude that harmonized
authentication and protection requirements will be easier for wireless
providers to implement and therefore will reduce costs and burdens on
carriers, including small carriers. We further tentatively conclude
that multiple authentication standards and protection requirements may
be confusing for customers. Are these tentative conclusions correct?
4. We seek comment on any reasons why we should not harmonize our
CPNI and SIM change authentication rules. For example, would it be
costly and burdensome for carriers, particularly small carriers, to
adjust the CPNI authentication and protection practices they have
already implemented to comply with the authentication requirements we
adopted? Are there other reasons harmonized rules would increase the
costs or burdens on carriers, including small carriers? Is there
anything unique about CPNI or SIM changes that warrants different
authentication measures? For instance, even if the existing measures
for CPNI authentication may be outdated and less secure, are
modifications to the rules unwarranted because the risk of harm from
unauthorized access to CPNI is lower than from SIM swap fraud?
5. If we do choose to harmonize the rules addressing customer
access to CPNI with our new SIM change safeguards, we seek comment on
the extent to which the rules should be harmonized. We seek comment
whether to remove the prescriptive authentication requirements in our
current CPNI rules and replace them with the single requirement that
carriers use secure methods of authenticating the identity of a
customer prior to disclosing CPNI. We also seek comment on whether to
use the same definition of secure methods of authentication, which are
those that are reasonably designed to confirm a customer's identity and
excluding use of readily available biographical information, account
information, recent payment information, call detail information, or
any combination of these factors. Additionally, we seek comment on
whether the procedures we require carriers to adopt for responding to
failed authentication attempts in connection with SIM change requests
should apply to all other CPNI authentications as well. We also seek
comment on whether the CPNI customer access rules should be harmonized
with any of the other SIM change protections we adopt. Should the
limits on access to CPNI by employees who receive inbound customer
communications prior to authentication of the customer apply to all
telecommunications carriers? Should the CPNI rules only be harmonized
to include some of these measures? If so, which measures should and
should not be harmonized and why? Should we harmonize the customer
notification rules for all account changes? Additionally, are there any
other rules that would need to be modified for consistency if we
harmonize the CPNI rules, such as the Commission's Telecommunications
Relay Service (TRS) CPNI rules? Should the Commission apply any
harmonized rules to all customer proprietary information?
6. We tentatively conclude that we should rely on the same legal
authority we used to originally implement the CPNI authentication rules
in order to harmonize any of the CPNI rules, and seek comment on this
tentative approach. In the 2007 CPNI Order (72 FR 31948 (June 8,
2007)), as with the rules we adopted, we relied primarily on section
222 to implement the CPNI authentication rules, and we tentatively
conclude this provision continues to provide us with sufficient
authority to harmonize those rules with the SIM change rules. We seek
comment on this tentative conclusion. We also seek comment on whether
there are any legal implications for the harmonization approach we
propose. For instance, in the 2016 Broadband Privacy Order (81 FR 87274
(Jan. 3, 2017)), the Commission harmonized the CPNI rules for voice
providers with those it had adopted for broadband internet access
service providers, but those rules were nullified by Congress pursuant
to the Congressional Review Act, which prohibits the Commission from
reissuing a disapproved rule ``in substantially the same form'' and
from issuing a new rule ``that is substantially the same as such a
rule.'' We tentatively conclude that the 2017 action by Congress has no
effect on the options we may consider here and seek comment on this
tentative conclusion.
7. Harmonizing Government Efforts to Address SIM Swap and Port-Out
Fraud. We seek comment on what steps the Commission can take to
harmonize government efforts to address SIM swap and port-out fraud. As
several
[[Page 86617]]
commenters noted, SIM swap and port-out fraud implicates the
authentication practices of other industries. We recognize that there
may be other efforts within the government to tackle SIM swap and port-
out fraud to address the broader implications of these harmful
practices. We seek information about those other efforts and the extent
to which they seek to address the practices of wireless providers. We
also seek comment on how the Commission can work with other government
entities to harmonize our approaches to addressing SIM swap and port-
out fraud.
8. Customer Notification of Failed Customer Authentication
Attempts. We seek comment on whether we should require wireless
providers to immediately notify customers in the event of a failed
authentication attempt, except to the extent otherwise required by the
Safe Connections Act of 2022 (47 U.S.C. 345) or the Commission's rules
implementing that statute. We believe that such notifications could
empower customers to take action to prevent unauthorized access to
their account when failed authentication attempts are fraudulent.
Should we require all telecommunications carriers to provide such
notifications to customers? In the event the Commission were to require
such notifications, we tentatively conclude that the notifications
should be reasonably designed to reach the customer associated with the
account but otherwise would permit wireless providers to determine the
method of providing these notifications, taking into consideration the
needs of survivors pursuant to the Safe Connections Act and our
implementing rules. We also tentatively conclude that such
notifications should use ``clear and concise language'' but do not
propose to prescribe particular content or wording for the
notifications.
9. Industry commenters assert that ``a carrier does not typically
know why a customer authenticates until after the customer has
successfully authenticated.'' Based on these assertions, should we
permit carriers to employ ``reasonable risk assessment techniques to
determine when a failed authentication attempt requires customer
notification,'' or require notification only in instances of multiple
failed attempts, or when there is reasonable suspicion of fraud? What
are the benefits and costs of doing so, for both providers and
customers? If we were to require customer notification only where there
were multiple failed authentication attempts, what standard would we
use to determine what constitutes ``multiple,'' and how would providers
track multiple authentication attempts across different platforms
(i.e., phone, application, and website)?
10. Other Consumer Protection Measures. We reiterate the
Commission's request for comment on whether there are any additional
requirements the Commission should consider that would help protect
customers from SIM swap or port-out fraud or assist them with resolving
problems resulting from such incidents. For example, should we require
wireless providers to explicitly exclude resolution of SIM change and
port-out fraud disputes from arbitration clauses in providers'
agreements with customers or abrogate such clauses? Would this provide
meaningful additional protections to customers from SIM swap and port-
out fraud? What would be the costs to wireless providers, particularly
small providers, from such a requirement?
11. Digital Equity and Inclusion. Finally, the Commission, as part
of its continuing effort to advance digital equity for all, including
people of color, persons with disabilities, persons who live in rural
or Tribal areas, and others who are or have been historically
underserved, marginalized, or adversely affected by persistent poverty
or inequality, invites comment on any equity-related considerations and
benefits (if any) that may be associated with the proposals and issues
discussed herein. Specifically, we seek comment on how our proposals
may promote or inhibit advances in diversity, equity, inclusion, and
accessibility, as well as the scope of the Commission's relevant legal
authority.
Initial Regulatory Flexibility Analysis
12. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), the Commission has prepared this Initial Regulatory
Flexibility Analysis (IRFA) of the possible significant economic impact
on a substantial number of small entities by the policies and rules
proposed in the Protecting Consumers from SIM Swap and Port-Out Fraud
Further Notice of Proposed Rulemaking (FNPRM). Written comments are
requested on this IRFA. Comments must be identified as responses to the
IRFA and must be filed by the deadlines for comments on the FNPRM
provided on the first page of the item. The Commission will send a copy
of the FNPRM, including this IRFA, to the Chief Counsel for Advocacy of
the Small Business Administration (SBA). In addition, the FNPRM and
IRFA (or summaries thereof) will be published in the Federal Register.
A. Need for, and Objectives of, the Proposed Rules
13. In the SIM Swap and Port-Out Fraud Report and Order (Report and
Order) (88 FR 85794 (Dec. 8, 2023)), the Commission adopts rules to
address fraudulent practices that transfer a customer's wireless
service to a bad actor, allowing the bad actor to gain access to
information associated with the customer's account, and permitting the
bad actor to receive the text messages and phone calls intended for the
customer. Specifically, the Report and Order revises the Commission's
Customer Proprietary Network Information (CPNI) and Local Number
Portability (LNP) rules to require wireless providers to adopt secure
methods of authenticating a customer before redirecting a customer's
phone number to a new device or provider. The Report and Order also
requires wireless providers to immediately notify customers whenever a
SIM change or port-out request is made on customers' accounts, and take
additional steps to protect customers from SIM swap and port-out fraud.
This approach sets baseline requirements that establish a uniform
framework across the mobile wireless industry while giving wireless
providers the flexibility to deliver the most advanced and appropriate
fraud protection measures available.
14. In this FNPRM, we seek comment on whether to harmonize the
existing requirements governing customer access to CPNI with the SIM
change authentication and protection measures adopted in the Report and
Order. This FNPRM expands on questions asked in the SIM Swap and Port-
Out Fraud Notice (86 FR 57390 (Oct. 15, 2021)) and several comments in
the record, but seeks more targeted feedback on a specific approach.
The FNPRM explores whether justifications identified by commenters in
the record, or any other justifications, provide a rationale for
harmonizing the existing CPNI rules with the customer protection
measures adopted in the Report and Order, as well as any reasons why
the Commission should not harmonize its existing CPNI rules with the
SIM swap fraud protection measures adopted in the Report and Order.
15. Recognizing that there may be other efforts within the
government to tackle SIM swap and port-out fraud to address the broader
implications of these harmful practices, the FNPRM also seeks comment
on information about those other efforts and what steps the Commission
can take to harmonize government efforts to address SIM swap and port-
out fraud. The FNPRM also
[[Page 86618]]
seeks comment on whether to require wireless providers to immediately
notify customers in the event of a failed authentication attempt,
except to the extent otherwise required by the Safe Connections Act of
2022 (47 U.S.C. 345) or the Commission's rules implementing that
statute, or whether to permit carriers to employ reasonable risk
assessment techniques to determine when a failed authentication attempt
requires customer notification, or require notification only in
instances of multiple failed attempts or when there is reasonable
suspicion of fraud.
B. Legal Basis
16. The proposed action is authorized pursuant to sections 1, 4,
201, 222, 251, 303(r), and 332 of the Communications Act of 1934, as
amended, 47 U.S.C. 151, 154, 201, 222, 251, 303(r), and 332.
C. Description and Estimate of the Number of Small Entities to Which
the Proposed Rules Will Apply
17. The RFA directs agencies to provide a description of, and where
feasible, an estimate of the number of small entities that may be
affected by the proposed rules, if adopted. The RFA generally defines
the term ``small entity'' as having the same meaning as the terms
``small business,'' ``small organization,'' and ``small governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small business concern'' under the Small Business
Act. A ``small business concern'' is one which: (1) is independently
owned and operated; (2) is not dominant in its field of operation; and
(3) satisfies any additional criteria established by the SBA.
18. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. Our actions, over time, may affect small entities that
are not easily categorized at present. We therefore describe, at the
outset, three broad groups of small entities that could be directly
affected herein. First, while there are industry specific size
standards for small businesses that are used in the regulatory
flexibility analysis, according to data from the Small Business
Administration's (SBA) Office of Advocacy, in general a small business
is an independent business having fewer than 500 employees. These types
of small businesses represent 99.9% of all businesses in the United
States, which translates to 33.2 million businesses.
19. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2020, there were
approximately 447,689 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
20. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments indicate there were
90,075 local governmental jurisdictions consisting of general purpose
governments and special purpose governments in the United States. Of
this number, there were 36,931 general purpose governments (county,
municipal, and town or township) with populations of less than 50,000
and 12,040 special purpose governments--independent school districts
with enrollment populations of less than 50,000. Accordingly, based on
the 2017 U.S. Census of Governments data, we estimate that at least
48,971 entities fall into the category of ``small governmental
jurisdictions.''
1. Providers of Telecommunications and Other Services
21. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as establishments primarily engaged in operating
and/or providing access to transmission facilities and infrastructure
that they own and/or lease for the transmission of voice, data, text,
sound, and video using wired communications networks. Transmission
facilities may be based on a single technology or a combination of
technologies. Establishments in this industry use the wired
telecommunications network facilities that they operate to provide a
variety of services, such as wired telephony services, including VoIP
services, wired (cable) audio and video programming distribution, and
wired broadband internet services. By exception, establishments
providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.
Wired Telecommunications Carriers are also referred to as wireline
carriers or fixed local service providers.
22. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2022 Universal Service
Monitoring Report, as of December 31, 2021, there were 4,590 providers
that reported they were engaged in the provision of fixed local
services. Of these providers, the Commission estimates that 4,146
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
23. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses specifically
applicable to local exchange services. Providers of these services
include both incumbent and competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with an SBA small business size standard. Wired Telecommunications
Carriers are also referred to as wireline carriers or fixed local
service providers. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2022 Universal Service
Monitoring Report, as of December 31, 2021, there were 4,590 providers
that reported they were fixed local exchange service providers. Of
these providers, the Commission estimates that 4,146 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
24. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the
Commission nor the SBA have developed a small business size standard
specifically for incumbent local exchange carriers. Wired
Telecommunications Carriers is the closest industry with an SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms in this industry that operated for the entire year. Of
this number, 2,964 firms
[[Page 86619]]
operated with fewer than 250 employees. Additionally, based on
Commission data in the 2022 Universal Service Monitoring Report, as of
December 31, 2021, there were 1,212 providers that reported they were
incumbent local exchange service providers. Of these providers, the
Commission estimates that 916 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of incumbent local exchange
carriers can be considered small entities.
25. Competitive Local Exchange Carriers (Competitive LECs). Neither
the Commission nor the SBA has developed a size standard for small
businesses specifically applicable to local exchange services.
Providers of these services include several types of competitive local
exchange service providers. Wired Telecommunications Carriers is the
closest industry with an SBA small business size standard. The SBA
small business size standard for Wired Telecommunications Carriers
classifies firms having 1,500 or fewer employees as small. U.S. Census
Bureau data for 2017 show that there were 3,054 firms that operated in
this industry for the entire year. Of this number, 2,964 firms operated
with fewer than 250 employees. Additionally, based on Commission data
in the 2022 Universal Service Monitoring Report, as of December 31,
2021, there were 3,378 providers that reported they were competitive
local exchange service providers. Of these providers, the Commission
estimates that 3,230 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
26. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA have developed a small business size standard specifically for
Interexchange Carriers. Wired Telecommunications Carriers is the
closest industry with an SBA small business size standard. The SBA
small business size standard for Wired Telecommunications Carriers
classifies firms having 1,500 or fewer employees as small. U.S. Census
Bureau data for 2017 show that there were 3,054 firms that operated in
this industry for the entire year. Of this number, 2,964 firms operated
with fewer than 250 employees. Additionally, based on Commission data
in the 2022 Universal Service Monitoring Report, as of December 31,
2021, there were 127 providers that reported they were engaged in the
provision of interexchange services. Of these providers, the Commission
estimates that 109 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of providers in this industry
can be considered small entities.
27. Local Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Local
Resellers. Telecommunications Resellers is the closest industry with an
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2022 Universal
Service Monitoring Report, as of December 31, 2021, there were 207
providers that reported they were engaged in the provision of local
resale services. Of these providers, the Commission estimates that 202
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
28. Toll Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Toll
Resellers. Telecommunications Resellers is the closest industry with an
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2022 Universal
Service Monitoring Report, as of December 31, 2021, there were 457
providers that reported they were engaged in the provision of toll
services. Of these providers, the Commission estimates that 438
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
29. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. Additionally, based on Commission data in the 2022 Universal
Service Monitoring Report, as of December 31, 2021, there were 594
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 511
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
30. Wireless Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Wireless
Resellers. The closest industry with an SBA small business size
standard is Telecommunications Resellers. The Telecommunications
Resellers industry comprises establishments engaged in purchasing
access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications
and they do not operate transmission facilities and
[[Page 86620]]
infrastructure. Mobile virtual network operators (MVNOs) are included
in this industry. Under the SBA size standard for this industry, a
business is small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2017 show that 1,386 firms in this industry provided
resale services during that year. Of that number, 1,375 firms operated
with fewer than 250 employees. Thus, for this industry under the SBA
small business size standard, the majority of providers can be
considered small entities.
31. Satellite Telecommunications. This industry comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $38.5 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. Additionally, based on
Commission data in the 2022 Universal Service Monitoring Report, as of
December 31, 2021, there were 65 providers that reported they were
engaged in the provision of satellite telecommunications services. Of
these providers, the Commission estimates that approximately 42
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, a little more than half of these
providers can be considered small entities.
32. All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g. dial-up ISPs) or Voice over internet Protocol
(VoIP) services, via client-supplied telecommunications connections are
also included in this industry. The SBA small business size standard
for this industry classifies firms with annual receipts of $35 million
or less as small. U.S. Census Bureau data for 2017 show that there were
1,079 firms in this industry that operated for the entire year. Of
those firms, 1,039 had revenue of less than $25 million. Based on this
data, the Commission estimates that the majority of ``All Other
Telecommunications'' firms can be considered small.
2. Internet Service Providers
33. Wired Broadband internet Access Service Providers (Wired ISPs).
Providers of wired broadband internet access service include various
types of providers except dial-up internet access providers. Wireline
service that terminates at an end user location or mobile device and
enables the end user to receive information from and/or send
information to the internet at information transfer rates exceeding 200
kilobits per second (kbps) in at least one direction is classified as a
broadband connection under the Commission's rules. Wired broadband
internet services fall in the Wired Telecommunications Carriers
industry. The SBA small business size standard for this industry
classifies firms having 1,500 or fewer employees as small. U.S. Census
Bureau data for 2017 show that there were 3,054 firms that operated in
this industry for the entire year. Of this number, 2,964 firms operated
with fewer than 250 employees.
34. Additionally, according to Commission data on internet access
services as of December 31, 2018, nationwide there were approximately
2,700 providers of connections over 200 kbps in at least one direction
using various wireline technologies. The Commission does not collect
data on the number of employees for providers of these services,
therefore, at this time we are not able to estimate the number of
providers that would qualify as small under the SBA's small business
size standard. However, in light of the general data on fixed
technology service providers in the Commission's 2022 Communications
Marketplace Report, we believe that the majority of wireline internet
access service providers can be considered small entities.
35. Wireless Broadband internet Access Service Providers (Wireless
ISPs or WISPs). Providers of wireless broadband internet access service
include fixed and mobile wireless providers. The Commission defines a
WISP as ``[a] company that provides end-users with wireless access to
the internet[.]'' Wireless service that terminates at an end user
location or mobile device and enables the end user to receive
information from and/or send information to the internet at information
transfer rates exceeding 200 kilobits per second (kbps) in at least one
direction is classified as a broadband connection under the
Commission's rules. Neither the SBA nor the Commission have developed a
size standard specifically applicable to Wireless Broadband internet
Access Service Providers. The closest applicable industry with an SBA
small business size standard is Wireless Telecommunications Carriers
(except Satellite). The SBA size standard for this industry classifies
a business as small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2017 show that there were 2,893 firms in this industry
that operated for the entire year. Of that number, 2,837 firms employed
fewer than 250 employees.
36. Additionally, according to Commission data on internet access
services as of December 31, 2018, nationwide there were approximately
1,209 fixed wireless and 71 mobile wireless providers of connections
over 200 kbps in at least one direction. The Commission does not
collect data on the number of employees for providers of these
services, therefore, at this time we are not able to estimate the
number of providers that would qualify as small under the SBA's small
business size standard. However, based on data in the Commission's 2022
Communications Marketplace Report on the small number of large mobile
wireless nationwide and regional facilities-based providers, the dozens
of small regional facilities-based providers and the number of wireless
mobile virtual network providers in general, as well as on terrestrial
fixed wireless broadband providers in general, we believe that the
majority of wireless internet access service providers can be
considered small entities.
37. Internet Service Providers (Non-Broadband). Internet access
service providers using client-supplied telecommunications connections
(e.g., dial-up ISPs) as well as VoIP service providers using client-
supplied telecommunications connections fall in the industry
classification of All Other Telecommunications. The SBA small business
size standard for this industry classifies firms with annual receipts
of $35 million or less as small. For this industry, U.S. Census Bureau
data for 2017 show that there were 1,079 firms in this industry that
operated for the entire year. Of those firms, 1,039 had revenue of less
than $25 million. Consequently, under the SBA size standard a majority
of firms in this industry can be considered small.
[[Page 86621]]
D. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
38. In this FNPRM, we seek comment on whether to harmonize the
existing requirements governing customer access to CPNI with the SIM
change authentication and protection measures adopted in the Report and
Order, and if so, the extent to which the rules should be harmonized.
We tentatively conclude that harmonized authentication and protection
requirements will be easier for wireless providers to implement and
therefore will reduce costs and burdens on carriers, including small
carriers. Recognizing that there may be other efforts within the
government to tackle SIM swap and port-out fraud to address the broader
implications of these harmful practices, the FNPRM also seeks comment
on information about those other efforts and what steps the Commission
can take to harmonize government efforts to address SIM swap and port-
out fraud.
39. Should the Commission decide to modify existing rules or adopt
new rules to harmonize its existing CPNI rules with rules to protect
customers from SIM swap fraud, such action could potentially result in
increased, reduced, or otherwise modified recordkeeping, reporting, or
other compliance requirements for affected providers of service.
Likewise, should the Commission decide to adopt rules requiring
notification of a failed authentication attempt, such action could
potentially result in increased, reduced, or otherwise modified
recordkeeping, reporting, or other compliance requirements. We seek
comment on the effect of any proposals on small entities. Entities,
especially small businesses, are encouraged to quantify the costs and
benefits of any reporting, recordkeeping, or compliance requirement
that may be established in this proceeding. We anticipate the
information we receive in comments including, where requested, cost and
benefit analyses, will help the Commission identify and evaluate
relevant compliance matters for small entities, including compliance
costs and other burdens that may result from the proposals and
inquiries we make in the FNPRM.
E. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
40. The RFA requires an agency to describe any significant,
specifically small business, alternatives that it has considered in
reaching its proposed approach, which may include the following four
alternatives (among others): ``(1) the establishment of differing
compliance or reporting requirements or timetables that take into
account the resources available to small entities; (2) the
clarification, consolidation, or simplification of compliance and
reporting requirements under the rule for such small entities; (3) the
use of performance rather than design standards; and (4) an exemption
from coverage of the rule, or any part thereof, for such small
entities.''
41. In this FNPRM, we seek comment on whether we should harmonize
the existing requirements governing customer access to CPNI with the
SIM change authentication and protection measures adopted in the Report
and Order, and if so, the extent to which the rules should be
harmonized. Among the justifications on which we seek comment are
whether inconsistent rules are more burdensome on carriers and whether
carriers need flexibility to implement more secure authentication
measures. We also tentatively conclude that harmonized authentication
and protection requirements will be easier for wireless providers to
implement and therefore will reduce costs and burdens on carriers. In
considering additional alternatives, we also ask whether it would it be
costly and burdensome for carriers to adjust the CPNI authentication
and protection practices they have already implemented to comply with
the authentication requirements adopted in the Report and Order, and
whether there are other reasons harmonized rules could increase the
costs or burdens on carriers, including small carriers. Regarding
notification to customers of failed authentication attempts, the FNPRM
seeks comment whether the Commission should require immediate
notification by all telecommunications carriers or only wireless
providers. The FNPRM also asks whether providers should be required to
notify customers immediately of all failed authentication attempts, or
whether instead to permit carriers to employ reasonable risk assessment
techniques to determine when failed authentication attempts require
customer notification, or require notification only in instances of
multiple failed attempts or when there is reasonable suspicion of
fraud. The Commission expects to consider the economic impact on small
entities, as identified in comments filed in response to the FNPRM and
this IRFA, in reaching its final conclusions and taking action in this
proceeding.
F. Federal Rules That May Duplicate, Overlap, or Conflict With the
Proposed Rules
42. None.
Paperwork Reduction Act of 1995 Analysis
This document contains new or modified information collection
requirements. The Commission, as part of its continuing effort to
reduce paperwork burdens, invites the general public to comment on the
information collection requirements contained in this Report and Order
as required by the Paperwork Reduction Act of 1995, Public Law 104-13.
In addition, the Commission notes that pursuant to the Small Business
Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C.
3506(c)(4), we previously sought specific comment on how the Commission
might further reduce the information collection burden for small
business concerns with fewer than 25 employees.
II. Ordering Clauses
43. Accordingly, it is ordered that, that pursuant to the authority
contained in sections 1, 2, 4, 201, 222, 251, 303, and 332 of the
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154, 201,
222, 251, 303, and 332, this Further Notice of Proposed Rulemaking in
WC Docket No. 21-341 is adopted.
44. It is further ordered that the Commission's Office of the
Secretary, Reference Information Center, shall send a copy of this
Further Notice of Proposed Rulemaking, including the Initial Regulatory
Flexibility Analysis, to the Chief Counsel for Advocacy of the Small
Business Administration.
Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-26701 Filed 12-13-23; 8:45 am]
BILLING CODE 6712-01-P
Start Your Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant
-
Access comprehensive legal content with no limitations across vLex's unparalleled global legal database
-
Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength
-
Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities
-
Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting
Start Your Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant
-
Access comprehensive legal content with no limitations across vLex's unparalleled global legal database
-
Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength
-
Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities
-
Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting
Start Your Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant
-
Access comprehensive legal content with no limitations across vLex's unparalleled global legal database
-
Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength
-
Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities
-
Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting
Start Your Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant
-
Access comprehensive legal content with no limitations across vLex's unparalleled global legal database
-
Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength
-
Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities
-
Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting
Start Your Free Trial of vLex and Vincent AI, Your Precision-Engineered Legal Assistant
-
Access comprehensive legal content with no limitations across vLex's unparalleled global legal database
-
Build stronger arguments with verified citations and CERT citator that tracks case history and precedential strength
-
Transform your legal research from hours to minutes with Vincent AI's intelligent search and analysis capabilities
-
Elevate your practice by focusing your expertise where it matters most while Vincent handles the heavy lifting