On December 8, new Federal Communications Commission rules, designed to prevent and remediate fraudulent SIM change and number port-out requests, were published in the Federal Register. SIM changes and number port-outs are two methods that fraudsters commonly use to transfer a victim’s mobile service and number from the victim’s mobile device to a mobile device in the fraudster’s possession.

Beginning July 8, 2024,1 wireless providers will be required to implement, among other things, reasonable methods for authenticating a requestor’s identity before complying with their request to transfer a phone number to a different SIM or a different provider, a process for addressing failed authentication attempts, a customer notice regarding a SIM change or port-out request, an account lock feature, employee training, and recordkeeping requirements. These requirements are applicable to both pre-paid and post-paid wireless services, as well as to wireless resellers.

Below is an overview of each of these requirements, along with a brief overview of a Further Notice of Proposed Rulemaking that the FCC released on the same topic. The FNPRM has yet to be published in the Federal Register.Customer Authentication for SIM.

Change and Port-Out Requests. The new FCC rules will require providers to design and implement methods to authenticate a requestor’s identity before fulfilling a request to either transfer the customer’s number and service to a new SIM or port the customer’s number to a new provider. Additionally, providers must “establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI [customer proprietary network information] in the course of that customer interaction until after a customer has been properly authenticated” using those methods. 88 Fed. Reg. 85794, 85801 (Nov. 8, 2023).

The new rules do not mandate use of any particular authentication methods. Instead, the FCC imposed a general obligation on providers to ensure that whatever methods they use:

  • Are secure when adopted;
  • Remain secure over time;
  • For port-out requests, accommodate the needs of a range of customers to prevent harms to competition; and
  • Comply with legal requirements related to protecting survivors of domestic violence and similar crimes and abuses.

For a method to be secure, a provider must also regularly review (at least annually) its effectiveness and make any necessary updates. A secure method also cannot involve asking for the customer’s readily available biographical information, account information, recent payment information, or call detail information. Responding to comments, the Commission clarified that sending verification codes or links by text message could, in some circumstances, be a secure verification method—but “strongly encourage[d] wireless providers to use [it] only when paired with other secure methods of authentication, i.e., as part of multi-factor authentication.” 88 Fed. Reg. at 85797.

In the context of port-out requests, methods must accommodate the needs of a range of customers, including those without data plans or data-enabled devices and those with varying degrees of technological literacy, or disabilities or accommodation needs. As such, providers may need to provide customers with multiple options for authenticating their identity (e.g., in- person authentication using government-issued IDs or over-the-phone authentication).

Providers have additional obligations if a person requests a SIM change or port-out request in connection with separating their (and their dependents’) phone numbers from an account shared with their abuser, i.e., someone who perpetrated domestic violence or a similar crime against the requester, under the Safe Communications Act (SCA). In those cases, a provider’s authentication of a survivor’s identity must comply with SCA requirements, including that authentication cannot involve “notify[ing] a primary account holder of a request by a survivor to port-out a number that is the subject of a line separation request” and, “[i]f the survivor is not the primary account holder or a designated user,” authentication should be “reasonably designed to confirm the survivor is actually a user of the specified line(s) on the account.” 47 C.F.R. § 64.6402 (effective May 15, 2024).

Response to Failed Authentication Attempts for SIM Change Requests. Providers will also be required to develop, maintain, and implement procedures establishing how to securely authenticate the identity for someone who requests a SIM change. Providers must ensure these procedures are “reasonably designed to prevent unauthorized access to a customer’s account.” 88 Fed. Reg. at 85797.According to the Commission, if a caller has failed numerous prior authentication attempts, it would be unreasonable to allow the caller to authenticate their identity by successfully responding to a single challenge.

The procedures for responding to failed authentication attempts must also comply with SCA requirements, including avoiding notifying an abuser of certain survivor requests related to line separation.

Customer Notification for SIM Change and Port-Out Requests. When a SIM change or port-out request is made, providers must provide the relevant customer with an immediate notification that the request has been made, before fulfilling the request. Providers do not have to wait for any specific period of time between sending the notice and fulfilling the request, nor do they need to use any prescribed language in the notification, as long as the notice is clear and concise. Providers have the flexibility to determine the method for delivering these notifications, as long as the method used is reasonably designed to reach the actual customer (and not someone impersonating the customer).

The notification procedures must also comply with SCA requirements, including avoiding notifying an abuser of certain survivor requests related to line separation.

Account Locks for SIM Change and Port-Out Requests. Providers must offer all customers, free of charge, the option to lock or freeze their accounts to stop SIM changes and number porting. Except in connection with line separation requests from survivors of domestic violence and similar crimes and abuses, providers must not process SIM change and port-out requests until the customer deactivates the account lock. The activation and deactivation process must not be unduly burdensome.

A provider may initiate an account lock when it believes the customer may be at high risk of fraud, but it must promptly provide clear notification of the account lock, provide instructions on how to deactivate the lock, and limit the duration of the lock so that it expires when the high risk of fraud is no longer evident. It must also promptly comply with any legitimate requests to deactivate an account lock.

Recordkeeping Requirements for SIM Change Requests. Beginning when the order goes into effect, providers must establish processes to reasonably track (and maintain for at least 3 years):

  • Number of SIM change requests;
  • Number of successful SIM change requests;
  • Number of failed SIM change requests;
  • Number of successful fraudulent SIM change requests;
  • Average time to remediate a fraudulent SIM change;
  • Number of complaints received regarding fraudulent SIM changes;
  • Authentication measures implemented; and
  • When the provider changes authentication method(s).

While there are no reporting or auditing requirements, the above information must be provided upon Commission request. The Commission also “strongly encourage[s]” providers “to collect and retain any additional information that will help them measure the effectiveness of their customer authentication and account protection measures.” 88 Fed. Reg. at 85800.

Customer Notification of Account Protection Measures. Providers must provide customers with a clear and concise notice of account protection measures that they offer to prevent and respond to SIM change and port-out fraud. The notice must be easily accessible through a provider’s website or an application.

Procedures for Resolving Fraudulent Requests. At no cost to customers, providers must maintain a clearly disclosed, transparent, and easy-to- use process for customers to report fraudulent SIM changes and port-outs. Such reports must be promptly investigated, and providers must take reasonable steps within their control to remediate such changes. Lastly, providers must provide, upon request, documentation of fraudulent SIM changes or number port-out requests to customers.

Employee Training. Providers must also train employees to address fraudulent SIM change or port-out attempts, complaints, and remediation. Such training must include how to identify fraudulent requests, how to recognize when a customer may be a victim of fraud, and how to direct individuals to employees specifically trained to handle such incidents.

Further Notice of Proposed Rulemaking. The FNPRM proposes requiring wireless providers to immediately notify customers in the event of a failed authentication attempt, except as necessary to protect survivors of domestic violence and related crimes; seeks comment on ways to facilitate inter-industry and inter-agency cooperation in the area, whether additional requirements should be considered to protect consumers, and potential effects on digital equity and inclusion; and proposes requiring providers to apply the new identity verification safeguards to customer attempts to gain access to CPNI. Comments will be due 30 days after the FNPRM is published in the Federal Register; reply comments, 30 days after that.

For additional information about the FCC’s SIM change and port-out rules, contact jnakahata@hwglaw.com, afowler@hwglaw.com, or the HWG attorney with whom you regularly work

This advisory is not intended to convey legal advice. It is circulated publicly as a convenience and does not reflect or create an attorney-client relationship.

***

1 Some of the new requirements are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act. If OMB does not complete its review of these requirements by May 15, 2024, the requirements will go into effect upon completion of OMB review.