FCC robocall rule could tie phone accounts to IDs

FCC proposes carriers keep customer names, addresses and government ID data for four years after service ends; experts warn this could raise SIM-swap and cryptocurrency theft risk.

The Federal Communications Commission published a proposal on May 26 under CG Docket Nos. 17-59 and 02-278 that would require originating voice service providers to collect and retain customer names, physical addresses, government-issued ID numbers, alternate telephone numbers and supporting verification records before activating service. The agency would require carriers to hold the records for four years after a customer’s service ends. The FCC is accepting public comment through June 25.

The proposal would impose a $2,500 per-call base forfeiture for failures to meet Know-Your-Customer questions. For high-volume customers, the agency would ask providers to collect information about intended use and IP addresses. The FCC frames the policy as an effort to block illegal robocalls before they enter the network and to reduce fraud and consumer harm.

Security researchers and crypto advocates warn that bundling more identity data with phone accounts could raise the risk of SIM-swap attacks and account takeovers. Phone numbers are commonly used for account recovery, exchange onboarding, SMS two-factor authentication and customer support verification. When carriers link a number to a name, address, government ID and service history, attackers who access or impersonate that account can try to reset logins and move assets.

Federal investigations and industry incidents cited by experts illustrate the risk. In September 2025 the Department of Justice filed a civil forfeiture action involving more than $5 million in Bitcoin tied to a sequence prosecutors described as SIM-swap attacks that intercepted one-time authentication codes and allowed control of exchange and email accounts. The FBI’s Internet Crime Complaint Center recorded 1,611 SIM-swap complaints in 2021, with adjusted losses above $68 million, compared with 320 complaints and about $12 million in losses for 2018–2020.

Phone-number compromise has also affected institutions. In January 2024 an unauthorized party gained control of the phone number linked to a regulatory agency’s social media account, reset its password and posted a false announcement about a spot Bitcoin ETF before the account owner corrected the post. Expanded carrier-side identity records could provide additional material for impersonation attempts against similar high-value targets.

Bitcoin security researcher Jameson Lopp has argued that services without identity-linked KYC can serve as a security measure for people believed to hold large crypto positions. Lopp maintains a public repository of documented physical attacks against crypto holders that lists extortion, swatting and other real-world targeting incidents.

The final rule could cover different customer groups. If requirements apply only to high-volume commercial call originators, retail phone accounts and prepaid SIMs would largely remain outside expanded data collection. If the rule covers new and renewing retail customers and prepaid SIMs, carrier databases would tie far more phone numbers to identities, addresses and multi-year service histories.

Security experts also warn about systemic risk from breaches. A carrier, vendor or third-party KYC provider compromise could expose linked records at scale, producing lists that cross-reference phone numbers, identities, addresses and service activity and that could be used to prioritize attacks.

The FCC asks commenters to address privacy and security trade-offs and whether carriers would need mandatory controls to protect the collected data. Public comment on the proposal closes June 25.

Articles by this author