Initial commit — Performance West telecom compliance platform

Includes: API (Express/TypeScript), Astro site, Python workers,
document generators, FCC compliance tools, Canada CRTC formation,
Ansible infrastructure, and deployment scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
justin 2026-04-27 06:54:22 -05:00
commit f8cd37ac8c
1823 changed files with 145167 additions and 0 deletions

View file

@ -0,0 +1,146 @@
# Do-Not-Originate (DNO) List Enforcement Guide
## Implementation Handbook for Voice Service Providers
**Prepared by Performance West Inc.**
**Effective Date: 2026**
---
## 1. What Is the DNO List?
The FCC Do-Not-Originate (DNO) list is a database of telephone numbers that should **never** appear as the calling party number on the public switched telephone network (PSTN). These numbers are known to be used for illegal robocalling, spoofing, or fraud.
The DNO list is maintained by the **Industry Traceback Group (ITG)**, operated by USTelecom — the Broadband Association, and is distributed to voice service providers and gateway providers for enforcement.
**Regulatory basis:** 47 CFR § 64.6305 (2025 RMD Report & Order, effective February 5, 2026)
---
## 2. Who Must Enforce the DNO List?
All providers who file in the FCC Robocall Mitigation Database:
- **Voice Service Providers** (originating carriers)
- **Gateway Providers** (receiving international traffic)
- **Intermediate Providers** (transit/tandem carriers)
If you have an RMD filing, you are expected to enforce the DNO list.
---
## 3. Implementation Steps
### Step 1: Obtain the DNO List
**Check with your switch/platform provider first.** Many VoIP platforms, hosted PBX providers, and wholesale carriers already include DNO list enforcement as part of their service at no extra cost. If your provider handles this for you, confirm it in writing and reference it in your RMD filing — you may not need to manage the list yourself.
**If your platform does NOT include DNO enforcement,** you must obtain the DNO registry directly:
- **DNO Registry:** https://tracebacks.org/dno-registry/
- This is the official source operated by USTelecom's Industry Traceback Group (ITG)
- The registry provides a downloadable list of numbers that must be blocked
- Register for access and download the current list
- Updates are published regularly — check the registry for the current update schedule
**Other sources that may include DNO enforcement:**
- Call analytics vendors (TransNexus, Neustar, Hiya) often include DNO blocking in their platforms
- Your upstream carrier may already block DNO-listed numbers before they reach your network
### Step 2: Integrate into Your Call Routing
**For SIP/VoIP infrastructure:**
```
# Example: SIP proxy rule (Kamailio/OpenSIPS/FreeSWITCH concept)
# Block calls where the FROM or P-Asserted-Identity matches a DNO number
if (is_in_dno_list($fU)) {
sl_send_reply("603", "Decline - DNO Listed Number");
exit;
}
```
**Implementation options by platform:**
| Platform | Method |
|---|---|
| FreeSWITCH | Load DNO list into mod_blacklist or use a Lua/Python script in dialplan |
| Kamailio | Hash table lookup in route block, loaded from DB or file |
| Asterisk | Use a database-backed dialplan function (ODBC or AstDB) |
| Metaswitch | Policy rule in call control configuration |
| BroadSoft/Cisco BroadWorks | System-level origination blocking rule |
| Cloud UCaaS | Contact your UCaaS vendor — they should enforce DNO on your behalf |
### Step 3: Apply to All Call Origination Points
The DNO check must be applied at **every point where calls enter your network**:
1. **Customer-facing SIP trunks** — check the calling number before routing
2. **Gateway interfaces** — check foreign-originated traffic at ingress
3. **Wholesale interconnections** — check traffic received from downstream carriers
4. **SIP registration** — optionally prevent registration of DNO-listed numbers as extensions
### Step 4: Establish an Update Schedule
| Frequency | Action |
|---|---|
| **Daily** (recommended) | Download latest DNO list, update blocking rules |
| **Immediately** | If you receive a traceback request identifying a DNO number you're originating, block within 4 hours |
| **Monthly** | Audit your blocking logs to confirm DNO enforcement is working |
### Step 5: Log and Report
Maintain logs of:
- DNO list version/date loaded
- Number of calls blocked per day due to DNO match
- Any exceptions or overrides (there should be none for DNO numbers)
- Date and time of each list update
These logs demonstrate compliance if the FCC or ITG requests evidence of enforcement.
---
## 4. What to Do If a Customer Complains
If a legitimate customer reports their number is being blocked:
1. Verify the number against the current DNO list
2. If the number IS on the DNO list, the customer must contact the ITG to request removal
3. Do NOT create exceptions to bypass DNO blocking — this violates your RMD certification
4. Document the complaint and your response
---
## 5. Documenting DNO Enforcement in Your RMD Filing
Your RMD certification and/or robocall mitigation plan (Exhibit A) should include language such as:
> "[Company Name] immediately blocks any numbers identified on the FCC Do-Not-Originate (DNO) list. DNO list updates are applied daily to prevent origination of calls from numbers known to be used for illegal robocalling. Blocking is enforced at all network ingress points including customer SIP trunks, gateway interfaces, and wholesale interconnections."
---
## 6. Common Mistakes to Avoid
| Mistake | Consequence |
|---|---|
| Not mentioning DNO in your RMD filing | Filing flagged as deficient |
| Updating the list monthly instead of daily | Stale data allows blocked numbers through |
| Only blocking on one trunk, not all ingress | Partial enforcement = non-compliance |
| Creating manual exceptions for "known good" customers | Undermines the entire program |
| Not logging blocked calls | Cannot demonstrate compliance to FCC/ITG |
---
## 7. Resources
- **Industry Traceback Group:** https://tracebacks.org
- **USTelecom:** https://www.ustelecom.org
- **FCC RMD Portal:** https://apps.fcc.gov/rmd/
- **47 CFR § 64.6305:** https://www.ecfr.gov/current/title-47/chapter-I/subchapter-B/part-64/subpart-CC
- **2025 RMD Report & Order:** FCC 25-6 (effective February 5, 2026)
---
*This guide is provided for informational purposes as part of your RMD filing service. It is not legal advice. Consult with your regulatory counsel for implementation decisions specific to your network.*
*Performance West Inc. — performancewest.net — 1-888-411-0383*

View file

@ -0,0 +1,184 @@
# Know Your Customer (KYC) Procedures Guide
## Implementation Handbook for Voice Service Providers
**Prepared by Performance West Inc.**
**Effective Date: 2026**
---
## 1. What Are KYC Procedures Under the RMD?
The FCC's 2025 RMD Report & Order requires all voice service providers to implement **Know Your Customer (KYC) procedures** as part of their robocall mitigation program. KYC is the process of verifying the identity and legitimacy of customers before providing them with voice service — and monitoring them on an ongoing basis.
**Regulatory basis:** 47 CFR § 64.1200(n)(4), reinforced by the 2025 RMD Report & Order (FCC 25-6)
---
## 2. Required KYC Elements
Your KYC program must include:
### A. Information Collection at Signup
Collect the following from every new customer before activating service:
| Required Information | Purpose |
|---|---|
| Full legal name (individual or entity) | Identity verification |
| Physical business address (no P.O. boxes for high-volume/toll-free) | Location verification |
| Business identification (EIN/tax ID, or last 4 SSN for individuals) | Tax identity confirmation |
| Government-issued photo ID | Identity authentication |
| Business website or description of legitimate business purpose | Legitimacy assessment |
| Contact phone and email | Communication channel |
### B. Verification Steps
For each new customer, perform these checks:
1. **Cross-reference business name + EIN** against your state's business registry or IRS database
2. **Verify address** via USPS Address Verification or a third-party source (LexisNexis, Dun & Bradstreet)
3. **Authenticate photo ID** — confirm it is genuine, not expired, and the name matches (see recommended tool below)
4. **Open-source search** — search the customer name and principals for:
- Prior association with illegal robocalling
- Inclusion on the ITG's known bad-actor traceback list
- FCC enforcement actions or complaints
- Spoofing or fraud complaints
#### Recommended: Stripe Identity for ID Verification
For automated, reliable identity verification, we recommend **Stripe Identity** (https://stripe.com/identity). It provides:
- **Government-issued ID document verification** — authenticates the ID is real, not expired, and not tampered with
- **Selfie matching with liveness detection** — confirms the person holding the ID is the person on it
- **SSN-based ID number lookup** (US only) — cross-references against authoritative databases
**Pricing:**
- **First 50 verifications: FREE** (included with any Stripe account)
- **$1.50 per verification** after the free tier
- **Volume discounts** available for 2,000+ verifications/month (contact Stripe)
This is significantly cheaper than traditional KYC vendors and integrates directly into your customer onboarding flow via API or hosted verification page. Most small-to-mid carriers will stay within the free tier (50 new customers per billing cycle). At $1.50 each after that, verifying 100 customers costs just $75.
**Integration:** Stripe Identity can be embedded as a link in your customer signup form — the customer clicks a link, takes a photo of their ID and a selfie, and Stripe returns a pass/fail result to your system within seconds. No manual review needed for passing verifications.
### C. Red-Flag Review
Trigger enhanced due diligence when any of the following occur:
- Customer is unwilling or unable to provide complete KYC information
- Discrepancies between provided information and public records
- Use of privacy-protected or anonymous registration services
- Usage patterns inconsistent with stated business purpose
- Prior complaints, tracebacks, or enforcement actions linked to the customer
- Request for unusually high call volumes relative to stated business size
### D. Ongoing Monitoring
- **Annual re-vetting** for all customers (minimum)
- **Immediate re-review** upon complaints, traceback requests, or anomalous traffic patterns
- **High-volume/toll-free customers:** quarterly review
---
## 3. Implementation Steps
### Step 1: Create Your KYC Intake Form
Build a customer onboarding form (paper or digital) that collects all required fields. Store responses in your CRM or customer database.
**Recommended fields:**
```
- Legal entity name
- DBA / trade name
- Entity type (LLC, Corp, Sole Prop, etc.)
- EIN or Tax ID
- State of formation
- Physical address (street, city, state, zip)
- Mailing address (if different)
- Primary contact name, title, phone, email
- Government-issued ID (upload or in-person)
- Business website URL
- Description of intended use of voice services
- Expected monthly call volume
- Authorized signatory for service agreement
```
### Step 2: Build Your Verification Checklist
For each new customer, a team member should complete:
- [ ] Business name verified against state registry
- [ ] EIN verified (IRS EIN verification letter or cross-reference)
- [ ] Address validated via USPS or third-party
- [ ] Photo ID reviewed and authenticated
- [ ] Web search completed for bad-actor associations
- [ ] ITG traceback list checked (if available)
- [ ] FCC ECFS searched for complaints against this entity
- [ ] No red flags identified (or enhanced due diligence completed)
- [ ] Acceptable Use Policy signed by customer
- [ ] Service activated
### Step 3: Acceptable Use Policy
Every customer must sign an Acceptable Use Policy (AUP) that includes:
- Prohibition of illegal robocalling, spoofing, and fraud
- Prohibition of originating calls to/from DNO-listed numbers
- Agreement to cooperate with traceback requests
- Right to immediately suspend service for violations
- Requirement to notify you of changes to business information
### Step 4: Set Up Ongoing Monitoring
Configure your systems to flag:
- Customers exceeding their stated call volume by 2x or more
- Sudden spikes in short-duration calls (potential robocall signature)
- High Answer-Seizure Ratio (ASR) anomalies
- Complaints received from downstream carriers or end users
- Traceback requests from ITG or law enforcement
### Step 5: Document Your Process
Write an internal SOP document covering:
- Who performs KYC reviews (role/title)
- How records are stored and for how long
- What triggers enhanced due diligence
- How to handle customer refusals
- Escalation procedures for red-flag findings
---
## 4. Documenting KYC in Your RMD Filing
Your RMD certification (Exhibit A) should include:
> "[Company Name] conducts internal Know Your Customer (KYC) procedures for all customers. At account signup or upon any material change in service usage, we require and collect: full legal name, physical business address, business identification (EIN or tax ID), government-issued photo ID, and a description of legitimate business purpose. We cross-reference business information against state registries, validate addresses via USPS, verify photo ID authenticity, and conduct open-source searches for prior robocalling associations. Enhanced due diligence is triggered when red flags are identified."
---
## 5. Common Mistakes to Avoid
| Mistake | Consequence |
|---|---|
| No KYC section in RMD filing | Filing flagged as deficient under 2026 requirements |
| Collecting info but not verifying it | Non-compliance — verification is the key requirement |
| No ongoing monitoring after signup | Fails the "continuous compliance" standard |
| No AUP or terms of service | Cannot enforce against abusive customers |
| Storing KYC data without security measures | Potential data breach liability |
---
## 6. Resources
- **FCC 47 CFR § 64.1200(n)(4):** KYC requirements for voice service providers
- **ITG (Industry Traceback Group):** https://tracebacks.org
- **FCC ECFS (complaints search):** https://www.fcc.gov/ecfs/
- **USPS Address Verification:** https://tools.usps.com/zip-code-lookup.htm
- **IRS EIN Verification:** https://www.irs.gov/businesses/small-businesses-self-employed/employer-id-numbers
---
*This guide is provided for informational purposes as part of your RMD filing service. It is not legal advice.*
*Performance West Inc. — performancewest.net — 1-888-411-0383*

View file

@ -0,0 +1,139 @@
# Material Change Update Procedures Guide
## Implementation Handbook for Voice Service Providers
**Prepared by Performance West Inc.**
**Effective Date: 2026**
---
## 1. What Is the Material Change Requirement?
Under the FCC's 2025 RMD Report & Order (effective February 5, 2026), all providers with an RMD filing must update their certification within **10 business days** of any material change to their operations, ownership, or filing information.
Failure to update within 10 business days can result in a **$1,000 per day forfeiture**.
**Regulatory basis:** 47 CFR § 64.6305, 2025 RMD Report & Order (FCC 25-6)
---
## 2. What Counts as a Material Change?
| Category | Examples |
|---|---|
| **Ownership** | Change in controlling interest, merger, acquisition, new parent company |
| **Corporate identity** | Legal name change, DBA change, new EIN |
| **Contact information** | New robocall mitigation contact person, email, phone, address |
| **STIR/SHAKEN status** | Change from partial to full implementation, switch to a different STI-CA, loss of SPC token |
| **Provider classification** | Adding gateway operations, ceasing to be a VSP, becoming an intermediate provider |
| **Upstream provider** | Changing the upstream carrier that provides STIR/SHAKEN signing |
| **Robocall mitigation program** | Significant changes to KYC procedures, analytics vendors, blocking policies |
| **Trade names / DBAs** | Adding or removing names under which you operate |
---
## 3. Implementation Steps
### Step 1: Designate a Compliance Officer
Assign one person (and a backup) as the **RMD Compliance Officer** responsible for:
- Monitoring for material changes
- Initiating the update process within 10 business days
- Maintaining an audit trail of updates
**Recommended:** The same person who is listed as the RMD contact on your filing.
### Step 2: Create a Material Change Checklist
Post this checklist where operations, legal, and management teams can see it:
**When ANY of the following occur, notify the RMD Compliance Officer immediately:**
- [ ] Company name or DBA changed
- [ ] Ownership or controlling interest changed
- [ ] New parent company, merger, or acquisition
- [ ] RMD contact person changed (name, email, phone)
- [ ] Principal office address changed
- [ ] STIR/SHAKEN certificate authority changed
- [ ] SPC token renewed, revoked, or transferred
- [ ] Upstream provider changed
- [ ] Provider type changed (added/removed VSP/gateway/intermediate)
- [ ] Robocall mitigation program materially revised
- [ ] New analytics vendor deployed or existing vendor discontinued
- [ ] Trade names added or removed
### Step 3: Establish an Internal Notification Process
Create a simple workflow:
```
Change occurs (e.g., new upstream provider signed)
Department head notifies RMD Compliance Officer (email/ticket)
<20><><EFBFBD>
Compliance Officer logs the change in the tracking spreadsheet
Within 5 business days: prepare updated RMD filing content
Within 10 business days: submit update to FCC RMD portal
Confirm update accepted, save confirmation screenshot
```
### Step 4: Update the RMD Portal
To submit an update:
1. Log in to the FCC RMD portal at https://apps.fcc.gov/rmd/ (MFA required since Feb 5, 2026)
2. Navigate to your existing certification
3. Click "Update" or "Edit"
4. Modify the relevant fields
5. Re-upload your certification letter/Exhibit A if the mitigation plan changed
6. Submit and save the confirmation page
**Or:** Contact Performance West — we can submit the update on your behalf as your authorized filing agent.
### Step 5: Maintain an Audit Trail
Keep a log of all material changes and RMD updates:
| Date | Change Description | Notified By | Updated in RMD | Confirmation # |
|---|---|---|---|---|
| 2026-03-15 | New upstream provider (ABC Telecom) | VP Engineering | 2026-03-18 | RMD-UPD-12345 |
| 2026-04-01 | Contact email changed to new@company.com | HR | 2026-04-03 | RMD-UPD-12346 |
---
## 4. Documenting Material Change Procedures in Your RMD Filing
Your RMD certification should include:
> "[Company Name] updates its RMD certification and CORES registration within 10 business days of any material change, including but not limited to changes in ownership, contacts, STIR/SHAKEN posture, upstream provider, or trade names, per 47 CFR § 64.6305. A designated compliance officer monitors for material changes and maintains an audit trail of all updates."
---
## 5. Penalties for Non-Compliance
| Violation | Penalty |
|---|---|
| Failure to update within 10 business days | $1,000/day forfeiture |
| False or inaccurate information in filing | $10,000 base forfeiture |
| Failure to maintain compliant certification | Removal from RMD (downstream carriers must block your traffic within 30 days) |
---
## 6. Common Mistakes to Avoid
| Mistake | Consequence |
|---|---|
| No material change language in RMD filing | Filing flagged as deficient |
| Updating only annually during recertification | Misses the 10-day requirement for mid-year changes |
| No internal notification process | Changes happen without anyone updating the RMD |
| Updating the filing but not the Exhibit A | Inconsistency between certification and plan |
| No audit trail | Cannot demonstrate timely compliance if audited |
---
*This guide is provided for informational purposes as part of your RMD filing service. It is not legal advice.*
*Performance West Inc. — performancewest.net — 1-888-411-0383*

View file

@ -0,0 +1,137 @@
# Traceback Response Procedures Guide
## Implementation Handbook for Voice Service Providers
**Prepared by Performance West Inc.**
**Effective Date: 2026**
---
## 1. What Is a Traceback Request?
A traceback is the process of identifying the originating source of an illegal robocall by tracing the call path backward through the network — from the terminating carrier, through intermediate/transit providers, back to the originating carrier and ultimately the customer who placed the call.
Traceback requests are issued by:
- **Industry Traceback Group (ITG)** — operated by USTelecom
- **FCC Enforcement Bureau**
- **State attorneys general**
- **Federal and state law enforcement**
**Your obligation:** Respond fully and completely within **24 hours**.
**Regulatory basis:** 47 CFR § 64.6305(d)(2)(iii), (e)(2)(iii), (f)(2)(iii)
---
## 2. Implementation Steps
### Step 1: Designate a 24/7 Traceback Contact
You MUST have someone available to respond to traceback requests within 24 hours, including weekends and holidays.
**Recommended structure:**
- **Primary contact:** Your RMD compliance officer or NOC manager
- **Backup contact:** A second person with access to CDR systems
- **Email alias:** Create a dedicated email like traceback@yourcompany.com that forwards to both
- **Phone:** A direct line or on-call number (not a general IVR)
Register your traceback contact with the ITG at https://tracebacks.org
### Step 2: Ensure CDR Access
Your traceback contact must be able to:
- Search Call Detail Records (CDRs) by called number, calling number, and date/time
- Identify which customer or trunk group originated a specific call
- Export relevant CDR data for the requesting party
- Access records going back at least 18 months
**Systems to prepare:**
- CDR database or data warehouse with search capability
- SIP/SS7 log access (if available)
- Customer account lookup by trunk/SIP registration
### Step 3: Create a Traceback Response Template
When you receive a traceback request, respond with:
```
TRACEBACK RESPONSE
Date: [today]
Request Reference: [ITG/FCC reference number]
Responding Provider: [Your company name]
FRN: [Your FRN]
Contact: [Name, email, phone]
CALL DETAILS REQUESTED:
Called Number: [number from request]
Calling Number: [number from request]
Date/Time: [from request]
FINDINGS:
Call found in our records: YES / NO
Originating customer/trunk: [customer name or trunk ID]
Customer account number: [if applicable]
Upstream source (if transit): [provider name, trunk ID]
CDR excerpt attached: YES / NO
ACTION TAKEN:
[e.g., "Customer notified of violation", "Traffic blocked",
"Account suspended pending investigation", "Referred to upstream provider"]
Signed: [Name, Title]
```
### Step 4: Establish Response SLA
| Timeline | Action |
|---|---|
| **01 hour** | Acknowledge receipt of traceback request |
| **14 hours** | Search CDRs, identify the source |
| **412 hours** | Prepare response with CDR evidence |
| **Within 24 hours** | Send complete response to the requesting party |
| **Immediately** | If the source is a known bad actor, block the traffic |
### Step 5: Take Enforcement Action
After identifying the source:
1. **Notify the customer** that they are the subject of a traceback
2. **Review the customer's account** for patterns of abuse
3. **If abuse is confirmed:** suspend or terminate service per your AUP
4. **If the call was transit traffic:** forward the traceback to your upstream provider
5. **Document everything** — enforcement actions, customer communications, blocking orders
---
## 3. Documenting Traceback Procedures in Your RMD Filing
Your RMD certification should include:
> "[Company Name] commits to respond fully and completely to all traceback requests from the Commission, civil and criminal law enforcement, and the industry traceback consortium, and to do so within 24 hours of receipt. [Company Name] cooperates with the Industry Traceback Group operated by USTelecom and provides requested call detail records and tracing information necessary to identify the origin of suspected illegal robocalls."
---
## 4. What Happens If You Don't Respond
| Failure | Consequence |
|---|---|
| No response within 24 hours | Reported to FCC as non-responsive provider |
| Pattern of non-response | FCC enforcement action, potential RMD removal |
| RMD removal | Downstream carriers must block your traffic within 30 days |
---
## 5. Common Mistakes to Avoid
| Mistake | Consequence |
|---|---|
| No 24/7 contact registered with ITG | Traceback requests go unanswered |
| CDRs not retained long enough | Cannot trace historical calls |
| Responding to ITG but not taking action against the customer | FCC views this as insufficient mitigation |
| No traceback language in RMD filing | Filing flagged as deficient |
---
*This guide is provided for informational purposes as part of your RMD filing service. It is not legal advice.*
*Performance West Inc. — performancewest.net — 1-888-411-0383*