88 FR 239 pgs. 86614-86621 - Protecting Consumers From SIM-Swap and Port-Out Fraud
Type: PRORULEVolume: 88Number: 239Pages: 86614 - 86621
Pages: 86614, 86615, 86616, 86617, 86618, 86619, 86620, 86621Docket number: [WC Docket No. 21–341; FCC 23–95, FR ID 186836]
FR document: [FR Doc. 2023–26701 Filed 12–13–23; 8:45 am]
Agency: Federal Communications Commission
Official PDF Version: PDF Version
[top]
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[WC Docket No. 21-341; FCC 23-95, FR ID 186836]
Protecting Consumers From SIM-Swap and Port-Out Fraud
AGENCY:
Federal Communications Commission.
ACTION:
Proposed rule.
SUMMARY:
In this document, the Federal Communications Commission adopted a Further Notice of Proposed Rulemaking ( FNPRM ) that seeks comment on whether to harmonize the existing requirements governing customer access to Customer Proprietary Network Information (CPNI) with the new Subscriber Identity Module (SIM) change authentication and protection measures that the Commission adopted; whether limitations on employee access to CPNI prior to customer authentication should be extended to all telecommunications carriers; what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud; and how providers should notify customers of failed authentication attempts.
DATES:
Comments are due on or before January 16, 2024, and reply comments are due on or before February 12, 2024. Written comments on the Paperwork Reduction Act proposed information collection requirements must be submitted by the public and other interested parties on or before February 12, 2024.
ADDRESSES:
You may submit comments, identified by WC Docket No. 21-341, by any of the following methods:
[top] Federal Communications Commission's website: https://
People with Disabilities: Contact the FCC to request reasonable accommodations (accessible format documents, sign language interpreters, CART, etc.) by email: FCC504@fcc.gov or phone: 202-418-0530 or TTY: 202-418-0432.
For detailed instructions for submitting comments and additional information on the rulemaking process, see the SUPPLEMENTARY INFORMATION section of this document. In addition to filing comments with the Office of the Secretary, a copy of any comments on the Paperwork Reduction Act information collection requirements contained herein should be submitted to Nicole Ongele, Federal Communications Commission, 45 L Street SW, Washington, DC 20554, or send an email to PRA@fcc.gov.
FOR FURTHER INFORMATION CONTACT:
For further information, contact Melissa Kirkel at melissa.kirkel@fcc.gov or (202) 418-7958. For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, send an email to PRA@fcc.gov or contact Nicole Ongele, Nicole.Ongele@fcc.gov.
SUPPLEMENTARY INFORMATION:
This is a summary of the Commission's Further Notice of Proposed Rulemaking in WC Docket No. 21-341, FCC 23-95, adopted on November 15, 2023 and released on November 16, 2023. The full text of the document is available on the Commission's website at https://docs.fcc.gov/public/attachments/FCC-23-95A1.pdf. The Providing Accountability Through Transparency Act, Public Law 118-9, requires each agency, in providing notice of a rulemaking, to post online a brief plain-language summary of the proposed rule. The required summary of this FNPRM is available at https://www.fcc.gov/proposed-rulemakings. To request materials in accessible formats for people with disabilities ( e.g. braille, large print, electronic files, audio format, etc.), send an email to FCC504@fcc.gov or call the Consumer & Governmental Affairs Bureau at (202) 418-0530 (voice).
Paperwork Reduction Act
The FNPRM may contain new or modified information collection(s) subject to the Paperwork Reduction Act of 1995. All such new or modified information collection requirements will be submitted to OMB for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies are invited to comment on any new or modified information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, we seek specific comment on how we might "further reduce the information collection burden for small business concerns with fewer than 25 employees."
Comments should address: (a) whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information shall have practical utility; (b) the accuracy of the Commission's burden estimates; (c) ways to enhance the quality, utility, and clarity of the information collected; (d) ways to minimize the burden of the collection of information on the respondents, including the use of automated collection techniques or other forms of information technology; and (e) way to further reduce the information collection burden on small business concerns with fewer than 25 employees. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees.
Regulatory Flexibility Act
The Regulatory Flexibility Act of 1980, as amended (RFA) requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that "the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities." Accordingly, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning the potential impact of rule and policy change proposals in the FNPRM on small entities. Written public comments are requested on the IRFA. Comments must be filed by the deadlines for comments on the FNPRM indicated on the first page of this document and must have a separate and distinct heading designating them as responses to the IRFA.
Ex Parte Presentations
The proceeding shall be treated as a "permit-but-disclose" proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must: (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format ( e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules.
Comment Period and Filing Procedures
Pursuant to sections 1.415 and 1.419 of the Commission's rules, 47 CFR 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission's Electronic Comment Filing System (ECFS) or by paper. Commenters should refer to WC Docket No. 21-341 when filing in response to this FNPRM.
• Electronic Filers: Comments may be filed electronically by accessing ECFS at https://www.fcc.gov/ecfs.
• Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. Paper filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail.
[top] • Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings.
• Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.
U.S. Postal Service first-class, Express, and Priority Mail must be addressed to 45 L Street NE, Washington, DC 20554.
People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
Synopsis
1. Harmonizing the CPNI Safeguards Rules. In this FNPRM, we first seek comment on whether to harmonize the existing requirements governing customer access to CPNI with the SIM change authentication and protection measures we adopt. This FNPRM expands on questions the Commission asked in the SIM Swap and Port-Out Fraud Notice and several comments in the record, but seeks more targeted feedback on a specific approach. In particular, in the SIM Swap and Port-Out Fraud Notice, the Commission asked "whether any new or revised customer authentication measures . . . would offer benefits for all purposes." The Commission also asked whether there are "benefits to providing expanded authentication requirements before providing access to CPNI to someone claiming to be a carrier's customer," as well as "whether any heightened authentication measures required (or prohibited) should apply for access to all CPNI, or only in cases where SIM change requests are being made." Additionally, the Commission proposed to add a prohibition on the use of recent payment and call detail information to authenticate customers for online access to CPNI.
2. Several commenters suggested that we harmonize our CPNI authentication rules with the SIM change authentication rules we adopt. These commenters offered several rationales that potentially support harmonization of these rules, including that: (1) The CPNI authentication requirements are outdated and therefore vulnerable to fraud; (2) inconsistent rules are more burdensome on carriers; (3) some carriers default to specified authentication measures and are disincentivized from adopting more secure measures; (4) a prescribed list provides a road map for bad actors; and (5) the existing CPNI authentication requirements could undermine stronger authentication measures for SIM changes and number ports. Harmonization also would be consistent with commenters' assertions that carriers need flexibility to implement more secure authentication measures. We seek comment on these justifications.
3. We also seek comment on other potential justifications for harmonization. For instance, we tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers, including small carriers. We further tentatively conclude that multiple authentication standards and protection requirements may be confusing for customers. Are these tentative conclusions correct?
4. We seek comment on any reasons why we should not harmonize our CPNI and SIM change authentication rules. For example, would it be costly and burdensome for carriers, particularly small carriers, to adjust the CPNI authentication and protection practices they have already implemented to comply with the authentication requirements we adopted? Are there other reasons harmonized rules would increase the costs or burdens on carriers, including small carriers? Is there anything unique about CPNI or SIM changes that warrants different authentication measures? For instance, even if the existing measures for CPNI authentication may be outdated and less secure, are modifications to the rules unwarranted because the risk of harm from unauthorized access to CPNI is lower than from SIM swap fraud?
5. If we do choose to harmonize the rules addressing customer access to CPNI with our new SIM change safeguards, we seek comment on the extent to which the rules should be harmonized. We seek comment whether to remove the prescriptive authentication requirements in our current CPNI rules and replace them with the single requirement that carriers use secure methods of authenticating the identity of a customer prior to disclosing CPNI. We also seek comment on whether to use the same definition of secure methods of authentication, which are those that are reasonably designed to confirm a customer's identity and excluding use of readily available biographical information, account information, recent payment information, call detail information, or any combination of these factors. Additionally, we seek comment on whether the procedures we require carriers to adopt for responding to failed authentication attempts in connection with SIM change requests should apply to all other CPNI authentications as well. We also seek comment on whether the CPNI customer access rules should be harmonized with any of the other SIM change protections we adopt. Should the limits on access to CPNI by employees who receive inbound customer communications prior to authentication of the customer apply to all telecommunications carriers? Should the CPNI rules only be harmonized to include some of these measures? If so, which measures should and should not be harmonized and why? Should we harmonize the customer notification rules for all account changes? Additionally, are there any other rules that would need to be modified for consistency if we harmonize the CPNI rules, such as the Commission's Telecommunications Relay Service (TRS) CPNI rules? Should the Commission apply any harmonized rules to all customer proprietary information?
6. We tentatively conclude that we should rely on the same legal authority we used to originally implement the CPNI authentication rules in order to harmonize any of the CPNI rules, and seek comment on this tentative approach. In the 2007 CPNI Order (72 FR 31948 (June 8, 2007)), as with the rules we adopted, we relied primarily on section 222 to implement the CPNI authentication rules, and we tentatively conclude this provision continues to provide us with sufficient authority to harmonize those rules with the SIM change rules. We seek comment on this tentative conclusion. We also seek comment on whether there are any legal implications for the harmonization approach we propose. For instance, in the 2016 Broadband Privacy Order (81 FR 87274 (Jan. 3, 2017)), the Commission harmonized the CPNI rules for voice providers with those it had adopted for broadband internet access service providers, but those rules were nullified by Congress pursuant to the Congressional Review Act, which prohibits the Commission from reissuing a disapproved rule "in substantially the same form" and from issuing a new rule "that is substantially the same as such a rule." We tentatively conclude that the 2017 action by Congress has no effect on the options we may consider here and seek comment on this tentative conclusion.
[top] 7. Harmonizing Government Efforts to Address SIM Swap and Port-Out Fraud. We seek comment on what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. As several
8. Customer Notification of Failed Customer Authentication Attempts. We seek comment on whether we should require wireless providers to immediately notify customers in the event of a failed authentication attempt, except to the extent otherwise required by the Safe Connections Act of 2022 (47 U.S.C. 345) or the Commission's rules implementing that statute. We believe that such notifications could empower customers to take action to prevent unauthorized access to their account when failed authentication attempts are fraudulent. Should we require all telecommunications carriers to provide such notifications to customers? In the event the Commission were to require such notifications, we tentatively conclude that the notifications should be reasonably designed to reach the customer associated with the account but otherwise would permit wireless providers to determine the method of providing these notifications, taking into consideration the needs of survivors pursuant to the Safe Connections Act and our implementing rules. We also tentatively conclude that such notifications should use "clear and concise language" but do not propose to prescribe particular content or wording for the notifications.
9. Industry commenters assert that "a carrier does not typically know why a customer authenticates until after the customer has successfully authenticated." Based on these assertions, should we permit carriers to employ "reasonable risk assessment techniques to determine when a failed authentication attempt requires customer notification," or require notification only in instances of multiple failed attempts, or when there is reasonable suspicion of fraud? What are the benefits and costs of doing so, for both providers and customers? If we were to require customer notification only where there were multiple failed authentication attempts, what standard would we use to determine what constitutes "multiple," and how would providers track multiple authentication attempts across different platforms ( i.e., phone, application, and website)?
10. Other Consumer Protection Measures. We reiterate the Commission's request for comment on whether there are any additional requirements the Commission should consider that would help protect customers from SIM swap or port-out fraud or assist them with resolving problems resulting from such incidents. For example, should we require wireless providers to explicitly exclude resolution of SIM change and port-out fraud disputes from arbitration clauses in providers' agreements with customers or abrogate such clauses? Would this provide meaningful additional protections to customers from SIM swap and port-out fraud? What would be the costs to wireless providers, particularly small providers, from such a requirement?
11. Digital Equity and Inclusion. Finally, the Commission, as part of its continuing effort to advance digital equity for all, including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well as the scope of the Commission's relevant legal authority.
Initial Regulatory Flexibility Analysis
12. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities by the policies and rules proposed in the Protecting Consumers from SIM Swap and Port-Out Fraud Further Notice of Proposed Rulemaking ( FNPRM ). Written comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments on the FNPRM provided on the first page of the item. The Commission will send a copy of the FNPRM, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). In addition, the FNPRM and IRFA (or summaries thereof) will be published in the Federal Register .
A. Need for, and Objectives of, the Proposed Rules
13. In the SIM Swap and Port-Out Fraud Report and Order ( Report and Order ) (88 FR 85794 (Dec. 8, 2023)), the Commission adopts rules to address fraudulent practices that transfer a customer's wireless service to a bad actor, allowing the bad actor to gain access to information associated with the customer's account, and permitting the bad actor to receive the text messages and phone calls intended for the customer. Specifically, the Report and Order revises the Commission's Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device or provider. The Report and Order also requires wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers' accounts, and take additional steps to protect customers from SIM swap and port-out fraud. This approach sets baseline requirements that establish a uniform framework across the mobile wireless industry while giving wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available.
14. In this FNPRM, we seek comment on whether to harmonize the existing requirements governing customer access to CPNI with the SIM change authentication and protection measures adopted in the Report and Order. This FNPRM expands on questions asked in the SIM Swap and Port-Out Fraud Notice (86 FR 57390 (Oct. 15, 2021)) and several comments in the record, but seeks more targeted feedback on a specific approach. The FNPRM explores whether justifications identified by commenters in the record, or any other justifications, provide a rationale for harmonizing the existing CPNI rules with the customer protection measures adopted in the Report and Order, as well as any reasons why the Commission should not harmonize its existing CPNI rules with the SIM swap fraud protection measures adopted in the Report and Order.
[top] 15. Recognizing that there may be other efforts within the government to tackle SIM swap and port-out fraud to address the broader implications of these harmful practices, the FNPRM also seeks comment on information about those other efforts and what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud. The FNPRM also
B. Legal Basis
16. The proposed action is authorized pursuant to sections 1, 4, 201, 222, 251, 303(r), and 332 of the Communications Act of 1934, as amended, 47 U.S.C. 151, 154, 201, 222, 251, 303(r), and 332.
C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply
17. The RFA directs agencies to provide a description of, and where feasible, an estimate of the number of small entities that may be affected by the proposed rules, if adopted. The RFA generally defines the term "small entity" as having the same meaning as the terms "small business," "small organization," and "small governmental jurisdiction." In addition, the term "small business" has the same meaning as the term "small business concern" under the Small Business Act. A "small business concern" is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.
18. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe, at the outset, three broad groups of small entities that could be directly affected herein. First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration's (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. These types of small businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million businesses.
19. Next, the type of small entity described as a "small organization" is generally "any not-for-profit enterprise which is independently owned and operated and is not dominant in its field." The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS.
20. Finally, the small entity described as a "small governmental jurisdiction" is defined generally as "governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand." U.S. Census Bureau data from the 2017 Census of Governments indicate there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. Of this number, there were 36,931 general purpose governments (county, municipal, and town or township) with populations of less than 50,000 and 12,040 special purpose governments-independent school districts with enrollment populations of less than 50,000. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of "small governmental jurisdictions."
1. Providers of Telecommunications and Other Services
21. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers.
22. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were engaged in the provision of fixed local services. Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
23. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include both incumbent and competitive local exchange service providers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were fixed local exchange service providers. Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
[top] 24. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the SBA have developed a small business size standard specifically for incumbent local exchange carriers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. Of this number, 2,964 firms
25. Competitive Local Exchange Carriers (Competitive LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include several types of competitive local exchange service providers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 3,378 providers that reported they were competitive local exchange service providers. Of these providers, the Commission estimates that 3,230 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
26. Interexchange Carriers (IXCs). Neither the Commission nor the SBA have developed a small business size standard specifically for Interexchange Carriers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 127 providers that reported they were engaged in the provision of interexchange services. Of these providers, the Commission estimates that 109 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, the Commission estimates that the majority of providers in this industry can be considered small entities.
27. Local Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 207 providers that reported they were engaged in the provision of local resale services. Of these providers, the Commission estimates that 202 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
28. Toll Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Toll Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 457 providers that reported they were engaged in the provision of toll services. Of these providers, the Commission estimates that 438 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
29. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. Of that number, 2,837 firms employed fewer than 250 employees. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 594 providers that reported they were engaged in the provision of wireless services. Of these providers, the Commission estimates that 511 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.
[top] 30. Wireless Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Wireless Resellers. The closest industry with an SBA small business size standard is Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications and they do not operate transmission facilities and
31. Satellite Telecommunications. This industry comprises firms "primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications." Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $38.5 million or less in annual receipts as small. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. Of this number, 242 firms had revenue of less than $25 million. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 65 providers that reported they were engaged in the provision of satellite telecommunications services. Of these providers, the Commission estimates that approximately 42 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, a little more than half of these providers can be considered small entities.
32. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Providers of internet services ( e.g. dial-up ISPs) or Voice over internet Protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. Of those firms, 1,039 had revenue of less than $25 million. Based on this data, the Commission estimates that the majority of "All Other Telecommunications" firms can be considered small.
2. Internet Service Providers
33. Wired Broadband internet Access Service Providers (Wired ISPs). Providers of wired broadband internet access service include various types of providers except dial-up internet access providers. Wireline service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission's rules. Wired broadband internet services fall in the Wired Telecommunications Carriers industry. The SBA small business size standard for this industry classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees.
34. Additionally, according to Commission data on internet access services as of December 31, 2018, nationwide there were approximately 2,700 providers of connections over 200 kbps in at least one direction using various wireline technologies. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA's small business size standard. However, in light of the general data on fixed technology service providers in the Commission's 2022 Communications Marketplace Report, we believe that the majority of wireline internet access service providers can be considered small entities.
35. Wireless Broadband internet Access Service Providers (Wireless ISPs or WISPs). Providers of wireless broadband internet access service include fixed and mobile wireless providers. The Commission defines a WISP as "[a] company that provides end-users with wireless access to the internet[.]" Wireless service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission's rules. Neither the SBA nor the Commission have developed a size standard specifically applicable to Wireless Broadband internet Access Service Providers. The closest applicable industry with an SBA small business size standard is Wireless Telecommunications Carriers (except Satellite). The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. Of that number, 2,837 firms employed fewer than 250 employees.
36. Additionally, according to Commission data on internet access services as of December 31, 2018, nationwide there were approximately 1,209 fixed wireless and 71 mobile wireless providers of connections over 200 kbps in at least one direction. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA's small business size standard. However, based on data in the Commission's 2022 Communications Marketplace Report on the small number of large mobile wireless nationwide and regional facilities-based providers, the dozens of small regional facilities-based providers and the number of wireless mobile virtual network providers in general, as well as on terrestrial fixed wireless broadband providers in general, we believe that the majority of wireless internet access service providers can be considered small entities.
[top] 37. Internet Service Providers (Non-Broadband). Internet access service providers using client-supplied telecommunications connections ( e.g., dial-up ISPs) as well as VoIP service providers using client-supplied telecommunications connections fall in the industry classification of All Other Telecommunications. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. For this industry, U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. Of those firms, 1,039 had revenue of less than $25 million. Consequently, under the SBA size standard a majority of firms in this industry can be considered small.
D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities
38. In this FNPRM, we seek comment on whether to harmonize the existing requirements governing customer access to CPNI with the SIM change authentication and protection measures adopted in the Report and Order, and if so, the extent to which the rules should be harmonized. We tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers, including small carriers. Recognizing that there may be other efforts within the government to tackle SIM swap and port-out fraud to address the broader implications of these harmful practices, the FNPRM also seeks comment on information about those other efforts and what steps the Commission can take to harmonize government efforts to address SIM swap and port-out fraud.
39. Should the Commission decide to modify existing rules or adopt new rules to harmonize its existing CPNI rules with rules to protect customers from SIM swap fraud, such action could potentially result in increased, reduced, or otherwise modified recordkeeping, reporting, or other compliance requirements for affected providers of service. Likewise, should the Commission decide to adopt rules requiring notification of a failed authentication attempt, such action could potentially result in increased, reduced, or otherwise modified recordkeeping, reporting, or other compliance requirements. We seek comment on the effect of any proposals on small entities. Entities, especially small businesses, are encouraged to quantify the costs and benefits of any reporting, recordkeeping, or compliance requirement that may be established in this proceeding. We anticipate the information we receive in comments including, where requested, cost and benefit analyses, will help the Commission identify and evaluate relevant compliance matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the FNPRM.
E. Steps Taken To Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered
40. The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): "(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities."
41. In this FNPRM, we seek comment on whether we should harmonize the existing requirements governing customer access to CPNI with the SIM change authentication and protection measures adopted in the Report and Order, and if so, the extent to which the rules should be harmonized. Among the justifications on which we seek comment are whether inconsistent rules are more burdensome on carriers and whether carriers need flexibility to implement more secure authentication measures. We also tentatively conclude that harmonized authentication and protection requirements will be easier for wireless providers to implement and therefore will reduce costs and burdens on carriers. In considering additional alternatives, we also ask whether it would it be costly and burdensome for carriers to adjust the CPNI authentication and protection practices they have already implemented to comply with the authentication requirements adopted in the Report and Order, and whether there are other reasons harmonized rules could increase the costs or burdens on carriers, including small carriers. Regarding notification to customers of failed authentication attempts, the FNPRM seeks comment whether the Commission should require immediate notification by all telecommunications carriers or only wireless providers. The FNPRM also asks whether providers should be required to notify customers immediately of all failed authentication attempts, or whether instead to permit carriers to employ reasonable risk assessment techniques to determine when failed authentication attempts require customer notification, or require notification only in instances of multiple failed attempts or when there is reasonable suspicion of fraud. The Commission expects to consider the economic impact on small entities, as identified in comments filed in response to the FNPRM and this IRFA, in reaching its final conclusions and taking action in this proceeding.
F. Federal Rules That May Duplicate, Overlap, or Conflict With the Proposed Rules
42. None.
Paperwork Reduction Act of 1995 Analysis
This document contains new or modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public to comment on the information collection requirements contained in this Report and Order as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, the Commission notes that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees.
II. Ordering Clauses
43. Accordingly, it is ordered that, that pursuant to the authority contained in sections 1, 2, 4, 201, 222, 251, 303, and 332 of the Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154, 201, 222, 251, 303, and 332, this Further Notice of Proposed Rulemaking in WC Docket No. 21-341 is adopted .
44. It is further ordered that the Commission's Office of the Secretary, Reference Information Center, shall send a copy of this Further Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration.
Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-26701 Filed 12-13-23; 8:45 am]
BILLING CODE 6712-01-P