FCC Know Your Customer rulemaking (2026 prepaid phone identification proposal)

FCC Know Your Customer rulemaking refers to a Further Notice of Proposed Rulemaking adopted by the Federal Communications Commission (FCC) on April 30, 2026, that seeks comment on requiring originating voice service providers to collect government-issued identity information from customers before activating phone service.^[1][2] The document, FCC 26-27, firmly proposes only one new rule, a $2,500 per-call penalty for violations of the existing Know Your Customer duty, while it merely seeks public comment on the underlying identity-collection requirements that privacy advocates and press coverage have tied to the future of anonymous prepaid burner phones.^[1][3] It is a proposal open for comment, not an enacted rule; comments are due June 25, 2026.^[4]

The FCC describes combatting illegal calls as its "top consumer protection priority," and the agency estimates that victims of calling scams are defrauded of roughly $850 million annually.^[1] An existing rule, 47 CFR § 64.1200(n)(4), already requires originating providers to take affirmative, effective measures to know their customers and exercise due diligence so their services are not used to originate illegal traffic.^[1] That obligation dates to the FCC's Fourth Call Blocking Order in 2020 and sits alongside the agency's caller-authentication framework for verifying that calls come from the numbers they claim.^[1]

The FNPRM frames originating providers as "best positioned" to stop illegal calls by screening new or renewing customers before they place calls.^[1] In a separate statement, Chairman Brendan Carr wrote that while many providers comply, "some do the bare minimum (or worse) and have become complicit in illegal robocalling schemes."^[5] The agency also argues that weak customer diligence makes it harder for law enforcement to identify criminals who use the phone network for drug deals, violent crimes, and human trafficking.^[1]

The instrument is a Further Notice of Proposed Rulemaking, FCC 26-27, issued in CG Docket No. 17-59 and CG Docket No. 02-278. The FCC adopted it on April 30, 2026 and released it on May 1, 2026; Chairman Carr and Commissioner Olivia Trusty each issued a separate statement supporting the item.^[2][1] An accompanying fact sheet had circulated on April 9, 2026.^[3]

The document mixes one firm proposal with a set of open questions, and the distinction matters. In paragraph 3 the Commission lists what it is doing: it seeks comment on customer identification requirements, on verification and re-verification duties, on collecting more information from high-volume customers, and on how new rules would complement call-branding requirements; only the fifth item, per-call penalties, is stated as a proposal.^[1] The fact sheet draws the same line, listing the per-call penalty alone under "Propose to require" and placing the identity-collection items under "Seek comment on."^[3]

Only the penalty is stated as a firm proposal. The FCC proposes to codify a $2,500 per-call base forfeiture amount for violations of section 64.1200(n)(4), structuring the penalty around call volume so it tracks the harm caused by any one caller.^[1]

Everything touching data collection is a comment question. The Commission seeks comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government-issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services.^[1] For high-volume, business, and foreign customers, it would seek comment on also collecting the intended use of the service and the IP address from which each call is placed.^[1] It seeks comment on retention, with a proposed approach of keeping the records for four years after the customer relationship ends, tied to the four-year statute of limitations for related TCPA claims.^[1] And it asks whether to establish a safe harbor for providers that use "effective AI or automated systems" to meet the same objectives.^[1]

The press framing that the rule would force buyers to show ID for a prepaid burner phone traces to a single comment question, not a rule. In paragraph 14, under the heading "Differences Based on Prepaid and Postpaid Service," the FCC seeks comment on whether customer-information requirements should vary depending on whether a customer wants a prepaid or postpaid plan.^[1] The FNPRM does not mandate identity verification for prepaid service; it asks the public to weigh in.

The questions in that paragraph indicate how little identity information prepaid service requires today. The FCC asks what information wireless providers currently obtain from customers who buy prepaid SIM cards, what percentage of prepaid plans are bought in person at retail stores, and what steps providers take to validate identity for prepaid service sold through third-party retailers.^[1] It also asks whether current prepaid KYC standards are "being exploited by criminals committing other types of crime, such as human trafficking."^[1] A prepaid identity requirement is the gap the proceeding asks whether to close.

The FNPRM itself raises the privacy stakes directly. After listing the data fields it might require, the Commission asks for comment on the privacy implications:

What privacy concerns may arise from such a collection of personally identifiable information (PII) and how can we mitigate them?

^[1]

On the data-security side, it asks what steps industry takes to protect such information and whether existing measures would be enough given an expanded collection and retention of PII.^[1] Its proposed retention period would keep a customer's name, address, ID number, and alternate phone number on file for four years after service ends.^[1]

Those fields are modeled on bank anti-money-laundering rules. The FCC points to the Treasury's Customer Identification Program and concludes that, given misuse of networks by organized criminal groups, "it provides a good model for our work."^[1]

The Electronic Privacy Information Center (EPIC) has taken a documented position on this kind of regime in the FCC's robocall proceedings. EPIC asks the Commission to clarify that Know Your Customer requirements apply only to commercial callers, warning that the agency's measures should not cause "a loss of privacy for individual consumers" through additional data collection.^[6] EPIC notes that FCC publications have not always made clear that non-commercial callers would be excluded.^[6]

Practitioners have flagged the cost and liability side. Writing for the National Law Review, William Fife of Troutman Amin characterized the volume-based penalty as creating "a potentially exponential liability model" and advised providers to assess whether their onboarding can accommodate government-ID verification and alternate-number confirmation at scale.^[7] Telecom attorney Eric Troutman, summarizing the rulemaking on TCPAWorld, described it as "Steep penalties. Vague standards. Could be bad."^[8]

The Federal Register published the notice on May 26, 2026, at 91 FR 30596, under document number 2026-10407 and the title "Enhancing Know-Your-Customer Requirements."^[4] Comments are due on or before June 25, 2026, and reply comments are due on or before July 27, 2026.^[4] The proceeding has no effective date because it remains a proposal; the public docket is identified as FCC-2026-2014-0001 on regulations.gov.^[4]

• Federal Trade Commission