f8cd37ac8c
Includes: API (Express/TypeScript), Astro site, Python workers, document generators, FCC compliance tools, Canada CRTC formation, Ansible infrastructure, and deployment scripts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8 KiB
Know Your Customer (KYC) Procedures Guide
Implementation Handbook for Voice Service Providers
Prepared by Performance West Inc. Effective Date: 2026
1. What Are KYC Procedures Under the RMD?
The FCC's 2025 RMD Report & Order requires all voice service providers to implement Know Your Customer (KYC) procedures as part of their robocall mitigation program. KYC is the process of verifying the identity and legitimacy of customers before providing them with voice service — and monitoring them on an ongoing basis.
Regulatory basis: 47 CFR § 64.1200(n)(4), reinforced by the 2025 RMD Report & Order (FCC 25-6)
2. Required KYC Elements
Your KYC program must include:
A. Information Collection at Signup
Collect the following from every new customer before activating service:
| Required Information | Purpose |
|---|---|
| Full legal name (individual or entity) | Identity verification |
| Physical business address (no P.O. boxes for high-volume/toll-free) | Location verification |
| Business identification (EIN/tax ID, or last 4 SSN for individuals) | Tax identity confirmation |
| Government-issued photo ID | Identity authentication |
| Business website or description of legitimate business purpose | Legitimacy assessment |
| Contact phone and email | Communication channel |
B. Verification Steps
For each new customer, perform these checks:
- Cross-reference business name + EIN against your state's business registry or IRS database
- Verify address via USPS Address Verification or a third-party source (LexisNexis, Dun & Bradstreet)
- Authenticate photo ID — confirm it is genuine, not expired, and the name matches (see recommended tool below)
- Open-source search — search the customer name and principals for:
- Prior association with illegal robocalling
- Inclusion on the ITG's known bad-actor traceback list
- FCC enforcement actions or complaints
- Spoofing or fraud complaints
Recommended: Stripe Identity for ID Verification
For automated, reliable identity verification, we recommend Stripe Identity (https://stripe.com/identity). It provides:
- Government-issued ID document verification — authenticates the ID is real, not expired, and not tampered with
- Selfie matching with liveness detection — confirms the person holding the ID is the person on it
- SSN-based ID number lookup (US only) — cross-references against authoritative databases
Pricing:
- First 50 verifications: FREE (included with any Stripe account)
- $1.50 per verification after the free tier
- Volume discounts available for 2,000+ verifications/month (contact Stripe)
This is significantly cheaper than traditional KYC vendors and integrates directly into your customer onboarding flow via API or hosted verification page. Most small-to-mid carriers will stay within the free tier (50 new customers per billing cycle). At $1.50 each after that, verifying 100 customers costs just $75.
Integration: Stripe Identity can be embedded as a link in your customer signup form — the customer clicks a link, takes a photo of their ID and a selfie, and Stripe returns a pass/fail result to your system within seconds. No manual review needed for passing verifications.
C. Red-Flag Review
Trigger enhanced due diligence when any of the following occur:
- Customer is unwilling or unable to provide complete KYC information
- Discrepancies between provided information and public records
- Use of privacy-protected or anonymous registration services
- Usage patterns inconsistent with stated business purpose
- Prior complaints, tracebacks, or enforcement actions linked to the customer
- Request for unusually high call volumes relative to stated business size
D. Ongoing Monitoring
- Annual re-vetting for all customers (minimum)
- Immediate re-review upon complaints, traceback requests, or anomalous traffic patterns
- High-volume/toll-free customers: quarterly review
3. Implementation Steps
Step 1: Create Your KYC Intake Form
Build a customer onboarding form (paper or digital) that collects all required fields. Store responses in your CRM or customer database.
Recommended fields:
- Legal entity name
- DBA / trade name
- Entity type (LLC, Corp, Sole Prop, etc.)
- EIN or Tax ID
- State of formation
- Physical address (street, city, state, zip)
- Mailing address (if different)
- Primary contact name, title, phone, email
- Government-issued ID (upload or in-person)
- Business website URL
- Description of intended use of voice services
- Expected monthly call volume
- Authorized signatory for service agreement
Step 2: Build Your Verification Checklist
For each new customer, a team member should complete:
- Business name verified against state registry
- EIN verified (IRS EIN verification letter or cross-reference)
- Address validated via USPS or third-party
- Photo ID reviewed and authenticated
- Web search completed for bad-actor associations
- ITG traceback list checked (if available)
- FCC ECFS searched for complaints against this entity
- No red flags identified (or enhanced due diligence completed)
- Acceptable Use Policy signed by customer
- Service activated
Step 3: Acceptable Use Policy
Every customer must sign an Acceptable Use Policy (AUP) that includes:
- Prohibition of illegal robocalling, spoofing, and fraud
- Prohibition of originating calls to/from DNO-listed numbers
- Agreement to cooperate with traceback requests
- Right to immediately suspend service for violations
- Requirement to notify you of changes to business information
Step 4: Set Up Ongoing Monitoring
Configure your systems to flag:
- Customers exceeding their stated call volume by 2x or more
- Sudden spikes in short-duration calls (potential robocall signature)
- High Answer-Seizure Ratio (ASR) anomalies
- Complaints received from downstream carriers or end users
- Traceback requests from ITG or law enforcement
Step 5: Document Your Process
Write an internal SOP document covering:
- Who performs KYC reviews (role/title)
- How records are stored and for how long
- What triggers enhanced due diligence
- How to handle customer refusals
- Escalation procedures for red-flag findings
4. Documenting KYC in Your RMD Filing
Your RMD certification (Exhibit A) should include:
"[Company Name] conducts internal Know Your Customer (KYC) procedures for all customers. At account signup or upon any material change in service usage, we require and collect: full legal name, physical business address, business identification (EIN or tax ID), government-issued photo ID, and a description of legitimate business purpose. We cross-reference business information against state registries, validate addresses via USPS, verify photo ID authenticity, and conduct open-source searches for prior robocalling associations. Enhanced due diligence is triggered when red flags are identified."
5. Common Mistakes to Avoid
| Mistake | Consequence |
|---|---|
| No KYC section in RMD filing | Filing flagged as deficient under 2026 requirements |
| Collecting info but not verifying it | Non-compliance — verification is the key requirement |
| No ongoing monitoring after signup | Fails the "continuous compliance" standard |
| No AUP or terms of service | Cannot enforce against abusive customers |
| Storing KYC data without security measures | Potential data breach liability |
6. Resources
- FCC 47 CFR § 64.1200(n)(4): KYC requirements for voice service providers
- ITG (Industry Traceback Group): https://tracebacks.org
- FCC ECFS (complaints search): https://www.fcc.gov/ecfs/
- USPS Address Verification: https://tools.usps.com/zip-code-lookup.htm
- IRS EIN Verification: https://www.irs.gov/businesses/small-businesses-self-employed/employer-id-numbers
This guide is provided for informational purposes as part of your RMD filing service. It is not legal advice.
Performance West Inc. — performancewest.net — 1-888-411-0383