The Federal Communications Commission (FCC) is proposing stricter Know-Your-Customer (KYC) rules for robocalls as part of a broader effort to curb illegal calls and protect consumers. In a newly released Further Notice of Proposed Rulemaking, the agency outlined plans to tighten requirements for originating voice service providers, which are considered the first line of defense against unlawful robocalls. The proposal reflects growing concern that existing KYC rules for robocalls are not being consistently enforced, allowing bad actors to exploit gaps in the system. The FCC emphasized that stopping illegal calls before they enter the network remains the most effective way to reduce fraud and abuse.

Why the FCC Is Expanding KYC Rules for Robocalls

Under current FCC robocall regulations, voice service providers are required to take “affirmative, effective” steps to know their customers. However, regulators say some providers are failing to carry out adequate checks, resulting in a surge of illegal robocalls that defraud consumers and expose telecom networks to misuse. “Combatting illegal calls is our top consumer protection priority, and we are taking a holistic approach by attacking them at every point in their lifecycle.” The FCC noted that weak KYC rules for robocalls not only enable scams but also make it harder for law enforcement to track criminal activities, including drug trafficking and human exploitation that rely on anonymous communication channels.

Proposed Changes to KYC Rules for Robocalls

The FCC is seeking public comment on several measures aimed at strengthening KYC rules for robocalls and improving telecom KYC compliance. One key proposal is to require providers to collect more detailed customer information before granting access to calling services. This includes name, physical address, government-issued identification number, and an alternate contact number for all new and renewing customers. For high-volume callers, such as businesses or bulk calling services, the FCC is considering additional requirements. These may include collecting information on how the service will be used—such as marketing or political campaigns—as well as technical data like IP addresses used to place calls. The Commission believes these enhanced Know-Your-Customer rules for robocalls could deter fraudsters from entering the network and make it easier to identify them if illegal activity occurs.

Verification, Monitoring, and Data Retention

Beyond data collection, the FCC is also proposing stricter verification and monitoring under its updated KYC rules for robocalls. Providers may be required to verify customer identities using supporting documents such as government-issued IDs or business registration records. The agency is also exploring whether companies should retain KYC records for up to four years after a customer relationship ends, allowing time for investigations into illegal robocalls. Another key focus is ongoing monitoring. The FCC is considering whether providers should re-verify customer information when unusual activity is detected, such as sudden spikes in call volume or changes in traffic patterns. These measures aim to ensure that telecom networks are not continuously exploited by bad actors using false or stolen identities.

Tougher Penalties to Enforce Compliance

To strengthen enforcement, the FCC has proposed financial penalties tied directly to violations of KYC rules for robocalls. The agency is considering a base fine of $2,500 per illegal call, aligning penalties with the scale of harm caused. This per-call penalty structure is designed to discourage large-scale robocall operations, where millions of fraudulent calls can generate significant profits. The FCC believes that stronger enforcement will push providers to take telecom KYC compliance more seriously and close existing loopholes.

Recent Enforcement Highlights Gaps

The push for stronger KYC rules for robocalls comes amid ongoing enforcement challenges. In a recent case, the FCC proposed a $4.5 million fine against Voxbeam Telecommunications for allegedly routing illegal robocalls into U.S. networks. The investigation found that Voxbeam accepted traffic from Axfone, a Czech-based provider not listed in the FCC’s Robocall Mitigation Database. Under existing rules, such traffic should have been blocked, raising concerns about gaps in compliance and oversight. If adopted, the new rules could significantly reshape how voice service providers onboard and monitor customers, bringing telecom practices closer to the stricter identity verification standards already seen in the financial sector.

The Federal Communications Commission (FCC) has moved to fine Voxbeam Telecommunications $4.5 million, bringing renewed attention to how foreign call traffic is still being used to push bank impersonation scams into the U.S. telecom system. The Voxbeam robocall case stems from an FCC investigation that found the company allegedly routed suspicious robocalls onto American networks, calls that, under existing rules, should have been blocked before reaching consumers. At the center of the Voxbeam robocall case is a compliance failure that regulators consider fundamental. U.S. voice providers are barred from accepting traffic from operators not listed in the FCC’s Robocall Mitigation Database (RMD). Yet, according to the findings, Voxbeam carried calls from Axfone, a Czech Republic-based provider that has never been registered in the database, raising fresh concerns about gaps in enforcement and oversight.

FCC Flags Lapses in Voxbeam Robocall Handling

The Voxbeam robocall case is built around what regulators see as a failure to follow clear compliance requirements. According to the FCC, Voxbeam transmitted tens of thousands of calls from Axfone into U.S. networks over a short period—from March 31 to April 3, 2025. These weren’t random spam calls. Many of them appeared to impersonate major financial institutions, using spoofed numbers linked to fraud departments or customer service lines at banks such as Bank of America and Chase. For recipients, the calls looked legitimate, increasing the likelihood of victims engaging with scammers. The FCC says this kind of traffic should have been blocked outright. Providers listed outside the RMD are considered high-risk, and accepting their traffic is a direct violation of the rules.

Dormant Accounts Raise Red Flags

What makes the Voxbeam robocall case more concerning is how the traffic was routed. Investigators found that the calls were linked to an account that had been inactive since 2018. That detail matters. Dormant accounts are often seen as a weak point in telecom networks, as they can be reactivated without drawing immediate attention if proper monitoring is not in place. In this instance, the FCC believes Voxbeam failed to identify and stop a sudden surge of activity from an account that had been silent for years. For an industry that handles massive volumes of call traffic daily, this points to a deeper operational gap—not just a one-off mistake.

Consumer Harm Drives FCC Action

The investigation itself was triggered by a complaint from a financial institution. Customers had reported receiving fraudulent calls that appeared to come from the bank’s official fraud reporting number. This is where the impact of the Voxbeam robocall case becomes clear. These scams are not just technical violations—they directly affect consumers, erode trust in banking systems, and make fraud harder to detect. FCC Chairman Brendan Carr addressed this directly, stating:

“Companies like Voxbeam must ensure they are not accepting traffic from sketchy operators. These gateway providers are the on-ramps to American phone networks and with that business model comes significant responsibility. As we saw in this case, failure to follow the FCC’s robocall mitigation rules can result in tens of thousands of scam calls reaching U.S. customers. The FCC is committed to protecting consumers from robocall scams like these.”

A Broader Industry Problem

The Voxbeam robocall case reflects a wider challenge for regulators. While frameworks like the RMD are in place, enforcement still depends heavily on telecom providers doing their due diligence. And that’s where things often fall apart. Foreign operators, especially those outside regulatory oversight, remain a major source of illegal robocalls. When U.S.-based gateway providers fail to vet their partners or monitor unusual traffic patterns, they effectively open the door to these campaigns. The proposed $4.5 million penalty is significant, but it’s also a warning. The FCC is making it clear that simply acting as a pass-through for call traffic is no longer acceptable.

The FCC will ban new foreign-made routers in the U.S. over security risks, unless approved by DHS or defense authorities.

The U.S. FCC announced a ban on importing new foreign-made consumer routers, citing unacceptable cyber and national security risks. The decision, backed by Executive Branch assessments, means such devices can no longer be sold or marketed in the U.S. unless they receive special approval.

Routers will be added to the Covered List, with exceptions only for those cleared by the Department of Homeland Security or defense authorities after the Department of Homeland Security or defense authorities verify they pose no threat to communications networks.

“Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones, and smart devices to the internet.” reads the announcement published by FCC. “This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.””

The U.S. “Covered List” is a security list maintained by the Federal Communications Commission under the Secure and Trusted Communications Networks Act.

It identifies communications equipment and services that pose national security risks to U.S. networks. Anything placed on this list is effectively banned from being authorized, marketed, or sold in the United States.

U.S. authorities warn that foreign-made routers create serious supply chain and cybersecurity risks, potentially disrupting the economy, critical infrastructure, and national defense. Policy guidance stresses reducing dependence on foreign components for essential technologies.

These routers have already been exploited by threat actors for hacking, espionage, and intellectual property theft, and were linked to major cyber espionage campaigns like Volt Typhoon, Flax Typhoon, and Salt Typhoon targeting U.S. infrastructure.

Manufacturers can still request Conditional Approval if their devices are proven safe. The rules apply only to new models, meaning existing routers already in use or previously approved can still be sold and used without restrictions.

Currently, only a few products, like drones and software-defined radios from SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero, are approved. Router manufacturers can seek Conditional Approval, while U.S.-made devices such as Starlink routers are exempt.

The FCC warns foreign routers pose major supply chain and cybersecurity risks, potentially disrupting infrastructure and the economy. Weak security in home and small office routers has already been exploited for hacking, espionage, and data theft, and can also turn devices into botnets for large-scale cyberattacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, router)