FCC Chairwoman Jessica Rosenworcel has circulated a Report and Order to other commissioners proposing rule changes aimed at protecting consumer cellphone accounts from attacks on cell phone accounts.
The proposal calls for revising Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules. Wireless providers would be required to adopt secure methods of authenticating a customer before redirecting the customer’s number to a new device or provider.
Providers would also be required to immediately notify customers when a SIM change or port-out request is made.
The rules were developed by the Data Protection Task Force and are designed to guard against SIM Swapping and Port-Out fraud.
SIM swapping is convincing a wireless carrier to switch service from the victim’s phone to the perpetrator’s. Port-Out fraud is when a bad actor posing as the victim opens an account with a carrier not used by the victim and convinces that carrier to switch service to the phone.
The rules would set baseline requirements and a uniform framework while enabling providers to deploy their own fraud protections. The report and order includes a Further Notice of Proposed Rulemaking that would seek comment on further ways to “harmonize” the new rules with existing CPNI rules and on other steps the commission should take.
The Data Protection Task Force reaches across the FCC on rulemaking, enforcement, and public awareness needs in relation to privacy and data protection activities, including data breaches.
“Every consumer has a right to expect that their mobile phone service providers keep their accounts secure and their data private,” said Chairwoman Rosenworcel in a press release. “These updated rules will help protect consumers from ugly new frauds while maintaining their well-established freedom to pick their preferred device and provider. I ask my colleagues to join me in supporting these common-sense consumer protections.”
The FCC considered a related issue in January 2022 with the release of an NPRM aimed at strengthening requirements for notifying customers and federal law enforcement of breaches to CPNI.