Protecting Consumers From SIM-Swap and Port-Out Fraud, 86614-86621 [2023-26701]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 88, Number 239 (Thursday, December 14, 2023)]
[Proposed Rules]
[Pages 86614-86621]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-26701]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket No. 21-341; FCC 23-95, FR ID 186836]


Protecting Consumers From SIM-Swap and Port-Out Fraud

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
adopted a Further Notice of Proposed Rulemaking (FNPRM) that seeks 
comment on whether to harmonize the existing requirements governing 
customer access to Customer Proprietary Network Information (CPNI) with 
the new Subscriber Identity Module (SIM) change authentication and 
protection measures that the Commission adopted; whether limitations on 
employee access to CPNI prior to customer authentication should be 
extended to all telecommunications carriers; what steps the Commission 
can take to harmonize government efforts to address SIM swap and port-
out fraud; and how providers should notify customers of failed 
authentication attempts.

DATES: Comments are due on or before January 16, 2024, and reply 
comments are due on or before February 12, 2024. Written comments on 
the Paperwork Reduction Act proposed information collection 
requirements must be submitted by the public and other interested 
parties on or before February 12, 2024.

ADDRESSES: You may submit comments, identified by WC Docket No. 21-341, 
by any of the following methods:
    [ssquf] Federal Communications Commission's website: https://

[[Page 86615]]

apps.fcc.gov/ecfs/. Follow the instructions for submitting comments.
    [ssquf] People with Disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by email: [email protected] or phone: 202-418-
0530 or TTY: 202-418-0432.
    For detailed instructions for submitting comments and additional 
information on the rulemaking process, see the SUPPLEMENTARY 
INFORMATION section of this document. In addition to filing comments 
with the Office of the Secretary, a copy of any comments on the 
Paperwork Reduction Act information collection requirements contained 
herein should be submitted to Nicole Ongele, Federal Communications 
Commission, 45 L Street SW, Washington, DC 20554, or send an email to 
[email protected].

FOR FURTHER INFORMATION CONTACT: For further information, contact 
Melissa Kirkel at [email protected] or (202) 418-7958. For 
additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, send an 
email to [email protected] or contact Nicole Ongele, [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
Further Notice of Proposed Rulemaking in WC Docket No. 21-341, FCC 23-
95, adopted on November 15, 2023 and released on November 16, 2023. The 
full text of the document is available on the Commission's website at 
https://docs.fcc.gov/public/attachments/FCC-23-95A1.pdf. The Providing 
Accountability Through Transparency Act, Public Law 118-9, requires 
each agency, in providing notice of a rulemaking, to post online a 
brief plain-language summary of the proposed rule. The required summary 
of this FNPRM is available at https://www.fcc.gov/proposed-rulemakings. 
To request materials in accessible formats for people with disabilities 
(e.g. braille, large print, electronic files, audio format, etc.), send 
an email to [email protected] or call the Consumer & Governmental Affairs 
Bureau at (202) 418-0530 (voice).

Paperwork Reduction Act

    The FNPRM may contain new or modified information collection(s) 
subject to the Paperwork Reduction Act of 1995. All such new or 
modified information collection requirements will be submitted to OMB 
for review under section 3507(d) of the PRA. OMB, the general public, 
and other Federal agencies are invited to comment on any new or 
modified information collection requirements contained in this 
proceeding. In addition, pursuant to the Small Business Paperwork 
Relief Act of 2002, we seek specific comment on how we might ``further 
reduce the information collection burden for small business concerns 
with fewer than 25 employees.''
    Comments should address: (a) whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information shall have practical 
utility; (b) the accuracy of the Commission's burden estimates; (c) 
ways to enhance the quality, utility, and clarity of the information 
collected; (d) ways to minimize the burden of the collection of 
information on the respondents, including the use of automated 
collection techniques or other forms of information technology; and (e) 
way to further reduce the information collection burden on small 
business concerns with fewer than 25 employees. In addition, pursuant 
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, 
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might 
further reduce the information collection burden for small business 
concerns with fewer than 25 employees.

Regulatory Flexibility Act

    The Regulatory Flexibility Act of 1980, as amended (RFA) requires 
that an agency prepare a regulatory flexibility analysis for notice and 
comment rulemakings, unless the agency certifies that ``the rule will 
not, if promulgated, have a significant economic impact on a 
substantial number of small entities.'' Accordingly, the Commission has 
prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning 
the potential impact of rule and policy change proposals in the FNPRM 
on small entities. Written public comments are requested on the IRFA. 
Comments must be filed by the deadlines for comments on the FNPRM 
indicated on the first page of this document and must have a separate 
and distinct heading designating them as responses to the IRFA.

Ex Parte Presentations

    The proceeding shall be treated as a ``permit-but-disclose'' 
proceeding in accordance with the Commission's ex parte rules. Persons 
making ex parte presentations must file a copy of any written 
presentation or a memorandum summarizing any oral presentation within 
two business days after the presentation (unless a different deadline 
applicable to the Sunshine period applies). Persons making oral ex 
parte presentations are reminded that memoranda summarizing the 
presentation must: (1) list all persons attending or otherwise 
participating in the meeting at which the ex parte presentation was 
made, and (2) summarize all data presented and arguments made during 
the presentation. If the presentation consisted in whole or in part of 
the presentation of data or arguments already reflected in the 
presenter's written comments, memoranda or other filings in the 
proceeding, the presenter may provide citations to such data or 
arguments in his or her prior comments, memoranda, or other filings 
(specifying the relevant page and/or paragraph numbers where such data 
or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with rule 1.1206(b). In proceedings governed by 
rule 1.49(f) or for which the Commission has made available a method of 
electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize themselves with the Commission's ex parte rules.

Comment Period and Filing Procedures

    Pursuant to sections 1.415 and 1.419 of the Commission's rules, 47 
CFR 1.415, 1.419, interested parties may file comments and reply 
comments on or before the dates indicated on the first page of this 
document. Comments may be filed using the Commission's Electronic 
Comment Filing System (ECFS) or by paper. Commenters should refer to WC 
Docket No. 21-341 when filing in response to this FNPRM.
     Electronic Filers: Comments may be filed electronically by 
accessing ECFS at https://www.fcc.gov/ecfs.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing. Paper filings can be sent 
by commercial overnight courier, or by first-class or overnight U.S. 
Postal Service mail.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings.

[[Page 86616]]

     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
    U.S. Postal Service first-class, Express, and Priority Mail must be 
addressed to 45 L Street NE, Washington, DC 20554.
    People with Disabilities: To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).

Synopsis

    1. Harmonizing the CPNI Safeguards Rules. In this FNPRM, we first 
seek comment on whether to harmonize the existing requirements 
governing customer access to CPNI with the SIM change authentication 
and protection measures we adopt. This FNPRM expands on questions the 
Commission asked in the SIM Swap and Port-Out Fraud Notice and several 
comments in the record, but seeks more targeted feedback on a specific 
approach. In particular, in the SIM Swap and Port-Out Fraud Notice, the 
Commission asked ``whether any new or revised customer authentication 
measures . . . would offer benefits for all purposes.'' The Commission 
also asked whether there are ``benefits to providing expanded 
authentication requirements before providing access to CPNI to someone 
claiming to be a carrier's customer,'' as well as ``whether any 
heightened authentication measures required (or prohibited) should 
apply for access to all CPNI, or only in cases where SIM change 
requests are being made.'' Additionally, the Commission proposed to add 
a prohibition on the use of recent payment and call detail information 
to authenticate customers for online access to CPNI.
    2. Several commenters suggested that we harmonize our CPNI 
authentication rules with the SIM change authentication rules we adopt. 
These commenters offered several rationales that potentially support 
harmonization of these rules, including that: (1) The CPNI 
authentication requirements are outdated and therefore vulnerable to 
fraud; (2) inconsistent rules are more burdensome on carriers; (3) some 
carriers default to specified authentication measures and are 
disincentivized from adopting more secure measures; (4) a prescribed 
list provides a road map for bad actors; and (5) the existing CPNI 
authentication requirements could undermine stronger authentication 
measures for SIM changes and number ports. Harmonization also would be 
consistent with commenters' assertions that carriers need flexibility 
to implement more secure authentication measures. We seek comment on 
these justifications.
    3. We also seek comment on other potential justifications for 
harmonization. For instance, we tentatively conclude that harmonized 
authentication and protection requirements will be easier for wireless 
providers to implement and therefore will reduce costs and burdens on 
carriers, including small carriers. We further tentatively conclude 
that multiple authentication standards and protection requirements may 
be confusing for customers. Are these tentative conclusions correct?
    4. We seek comment on any reasons why we should not harmonize our 
CPNI and SIM change authentication rules. For example, would it be 
costly and burdensome for carriers, particularly small carriers, to 
adjust the CPNI authentication and protection practices they have 
already implemented to comply with the authentication requirements we 
adopted? Are there other reasons harmonized rules would increase the 
costs or burdens on carriers, including small carriers? Is there 
anything unique about CPNI or SIM changes that warrants different 
authentication measures? For instance, even if the existing measures 
for CPNI authentication may be outdated and less secure, are 
modifications to the rules unwarranted because the risk of harm from 
unauthorized access to CPNI is lower than from SIM swap fraud?
    5. If we do choose to harmonize the rules addressing customer 
access to CPNI with our new SIM change safeguards, we seek comment on 
the extent to which the rules should be harmonized. We seek comment 
whether to remove the prescriptive authentication requirements in our 
current CPNI rules and replace them with the single requirement that 
carriers use secure methods of authenticating the identity of a 
customer prior to disclosing CPNI. We also seek comment on whether to 
use the same definition of secure methods of authentication, which are 
those that are reasonably designed to confirm a customer's identity and 
excluding use of readily available biographical information, account 
information, recent payment information, call detail information, or 
any combination of these factors. Additionally, we seek comment on 
whether the procedures we require carriers to adopt for responding to 
failed authentication attempts in connection with SIM change requests 
should apply to all other CPNI authentications as well. We also seek 
comment on whether the CPNI customer access rules should be harmonized 
with any of the other SIM change protections we adopt. Should the 
limits on access to CPNI by employees who receive inbound customer 
communications prior to authentication of the customer apply to all 
telecommunications carriers? Should the CPNI rules only be harmonized 
to include some of these measures? If so, which measures should and 
should not be harmonized and why? Should we harmonize the customer 
notification rules for all account changes? Additionally, are there any 
other rules that would need to be modified for consistency if we 
harmonize the CPNI rules, such as the Commission's Telecommunications 
Relay Service (TRS) CPNI rules? Should the Commission apply any 
harmonized rules to all customer proprietary information?
    6. We tentatively conclude that we should rely on the same legal 
authority we used to originally implement the CPNI authentication rules 
in order to harmonize any of the CPNI rules, and seek comment on this 
tentative approach. In the 2007 CPNI Order (72 FR 31948 (June 8, 
2007)), as with the rules we adopted, we relied primarily on section 
222 to implement the CPNI authentication rules, and we tentatively 
conclude this provision continues to provide us with sufficient 
authority to harmonize those rules with the SIM change rules. We seek 
comment on this tentative conclusion. We also seek comment on whether 
there are any legal implications for the harmonization approach we 
propose. For instance, in the 2016 Broadband Privacy Order (81 FR 87274 
(Jan. 3, 2017)), the Commission harmonized the CPNI rules for voice 
providers with those it had adopted for broadband internet access 
service providers, but those rules were nullified by Congress pursuant 
to the Congressional Review Act, which prohibits the Commission from 
reissuing a disapproved rule ``in substantially the same form'' and 
from issuing a new rule ``that is substantially the same as such a 
rule.'' We tentatively conclude that the 2017 action by Congress has no 
effect on the options we may consider here and seek comment on this 
tentative conclusion.
    7. Harmonizing Government Efforts to Address SIM Swap and Port-Out 
Fraud. We seek comment on what steps the Commission can take to 
harmonize government efforts to address SIM swap and port-out fraud. As 
several

[[Page 86617]]

commenters noted, SIM swap and port-out fraud implicates the 
authentication practices of other industries. We recognize that there 
may be other efforts within the government to tackle SIM swap and port-
out fraud to address the broader implications of these harmful 
practices. We seek information about those other efforts and the extent 
to which they seek to address the practices of wireless providers. We 
also seek comment on how the Commission can work with other government 
entities to harmonize our approaches to addressing SIM swap and port-
out fraud.
    8. Customer Notification of Failed Customer Authentication 
Attempts. We seek comment on whether we should require wireless 
providers to immediately notify customers in the event of a failed 
authentication attempt, except to the extent otherwise required by the 
Safe Connections Act of 2022 (47 U.S.C. 345) or the Commission's rules 
implementing that statute. We believe that such notifications could 
empower customers to take action to prevent unauthorized access to 
their account when failed authentication attempts are fraudulent. 
Should we require all telecommunications carriers to provide such 
notifications to customers? In the event the Commission were to require 
such notifications, we tentatively conclude that the notifications 
should be reasonably designed to reach the customer associated with the 
account but otherwise would permit wireless providers to determine the 
method of providing these notifications, taking into consideration the 
needs of survivors pursuant to the Safe Connections Act and our 
implementing rules. We also tentatively conclude that such 
notifications should use ``clear and concise language'' but do not 
propose to prescribe particular content or wording for the 
notifications.
    9. Industry commenters assert that ``a carrier does not typically 
know why a customer authenticates until after the customer has 
successfully authenticated.'' Based on these assertions, should we 
permit carriers to employ ``reasonable risk assessment techniques to 
determine when a failed authentication attempt requires customer 
notification,'' or require notification only in instances of multiple 
failed attempts, or when there is reasonable suspicion of fraud? What 
are the benefits and costs of doing so, for both providers and 
customers? If we were to require customer notification only where there 
were multiple failed authentication attempts, what standard would we 
use to determine what constitutes ``multiple,'' and how would providers 
track multiple authentication attempts across different platforms 
(i.e., phone, application, and website)?
    10. Other Consumer Protection Measures. We reiterate the 
Commission's request for comment on whether there are any additional 
requirements the Commission should consider that would help protect 
customers from SIM swap or port-out fraud or assist them with resolving 
problems resulting from such incidents. For example, should we require 
wireless providers to explicitly exclude resolution of SIM change and 
port-out fraud disputes from arbitration clauses in providers' 
agreements with customers or abrogate such clauses? Would this provide 
meaningful additional protections to customers from SIM swap and port-
out fraud? What would be the costs to wireless providers, particularly 
small providers, from such a requirement?
    11. Digital Equity and Inclusion. Finally, the Commission, as part 
of its continuing effort to advance digital equity for all, including 
people of color, persons with disabilities, persons who live in rural 
or Tribal areas, and others who are or have been historically 
underserved, marginalized, or adversely affected by persistent poverty 
or inequality, invites comment on any equity-related considerations and 
benefits (if any) that may be associated with the proposals and issues 
discussed herein. Specifically, we seek comment on how our proposals 
may promote or inhibit advances in diversity, equity, inclusion, and 
accessibility, as well as the scope of the Commission's relevant legal 
authority.

Initial Regulatory Flexibility Analysis

    12. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Commission has prepared this Initial Regulatory 
Flexibility Analysis (IRFA) of the possible significant economic impact 
on a substantial number of small entities by the policies and rules 
proposed in the Protecting Consumers from SIM Swap and Port-Out Fraud 
Further Notice of Proposed Rulemaking (FNPRM). Written comments are 
requested on this IRFA. Comments must be identified as responses to the 
IRFA and must be filed by the deadlines for comments on the FNPRM 
provided on the first page of the item. The Commission will send a copy 
of the FNPRM, including this IRFA, to the Chief Counsel for Advocacy of 
the Small Business Administration (SBA). In addition, the FNPRM and 
IRFA (or summaries thereof) will be published in the Federal Register.

A. Need for, and Objectives of, the Proposed Rules

    13. In the SIM Swap and Port-Out Fraud Report and Order (Report and 
Order) (88 FR 85794 (Dec. 8, 2023)), the Commission adopts rules to 
address fraudulent practices that transfer a customer's wireless 
service to a bad actor, allowing the bad actor to gain access to 
information associated with the customer's account, and permitting the 
bad actor to receive the text messages and phone calls intended for the 
customer. Specifically, the Report and Order revises the Commission's 
Customer Proprietary Network Information (CPNI) and Local Number 
Portability (LNP) rules to require wireless providers to adopt secure 
methods of authenticating a customer before redirecting a customer's 
phone number to a new device or provider. The Report and Order also 
requires wireless providers to immediately notify customers whenever a 
SIM change or port-out request is made on customers' accounts, and take 
additional steps to protect customers from SIM swap and port-out fraud. 
This approach sets baseline requirements that establish a uniform 
framework across the mobile wireless industry while giving wireless 
providers the flexibility to deliver the most advanced and appropriate 
fraud protection measures available.
    14. In this FNPRM, we seek comment on whether to harmonize the 
existing requirements governing customer access to CPNI with the SIM 
change authentication and protection measures adopted in the Report and 
Order. This FNPRM expands on questions asked in the SIM Swap and Port-
Out Fraud Notice (86 FR 57390 (Oct. 15, 2021)) and several comments in 
the record, but seeks more targeted feedback on a specific approach. 
The FNPRM explores whether justifications identified by commenters in 
the record, or any other justifications, provide a rationale for 
harmonizing the existing CPNI rules with the customer protection 
measures adopted in the Report and Order, as well as any reasons why 
the Commission should not harmonize its existing CPNI rules with the 
SIM swap fraud protection measures adopted in the Report and Order.
    15. Recognizing that there may be other efforts within the 
government to tackle SIM swap and port-out fraud to address the broader 
implications of these harmful practices, the FNPRM also seeks comment 
on information about those other efforts and what steps the Commission 
can take to harmonize government efforts to address SIM swap and port-
out fraud. The FNPRM also

[[Page 86618]]

seeks comment on whether to require wireless providers to immediately 
notify customers in the event of a failed authentication attempt, 
except to the extent otherwise required by the Safe Connections Act of 
2022 (47 U.S.C. 345) or the Commission's rules implementing that 
statute, or whether to permit carriers to employ reasonable risk 
assessment techniques to determine when a failed authentication attempt 
requires customer notification, or require notification only in 
instances of multiple failed attempts or when there is reasonable 
suspicion of fraud.

B. Legal Basis

    16. The proposed action is authorized pursuant to sections 1, 4, 
201, 222, 251, 303(r), and 332 of the Communications Act of 1934, as 
amended, 47 U.S.C. 151, 154, 201, 222, 251, 303(r), and 332.

C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rules Will Apply

    17. The RFA directs agencies to provide a description of, and where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules, if adopted. The RFA generally defines 
the term ``small entity'' as having the same meaning as the terms 
``small business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A ``small business concern'' is one which: (1) is independently 
owned and operated; (2) is not dominant in its field of operation; and 
(3) satisfies any additional criteria established by the SBA.
    18. Small Businesses, Small Organizations, Small Governmental 
Jurisdictions. Our actions, over time, may affect small entities that 
are not easily categorized at present. We therefore describe, at the 
outset, three broad groups of small entities that could be directly 
affected herein. First, while there are industry specific size 
standards for small businesses that are used in the regulatory 
flexibility analysis, according to data from the Small Business 
Administration's (SBA) Office of Advocacy, in general a small business 
is an independent business having fewer than 500 employees. These types 
of small businesses represent 99.9% of all businesses in the United 
States, which translates to 33.2 million businesses.
    19. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2020, there were 
approximately 447,689 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    20. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2017 Census of Governments indicate there were 
90,075 local governmental jurisdictions consisting of general purpose 
governments and special purpose governments in the United States. Of 
this number, there were 36,931 general purpose governments (county, 
municipal, and town or township) with populations of less than 50,000 
and 12,040 special purpose governments--independent school districts 
with enrollment populations of less than 50,000. Accordingly, based on 
the 2017 U.S. Census of Governments data, we estimate that at least 
48,971 entities fall into the category of ``small governmental 
jurisdictions.''
1. Providers of Telecommunications and Other Services
    21. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as establishments primarily engaged in operating 
and/or providing access to transmission facilities and infrastructure 
that they own and/or lease for the transmission of voice, data, text, 
sound, and video using wired communications networks. Transmission 
facilities may be based on a single technology or a combination of 
technologies. Establishments in this industry use the wired 
telecommunications network facilities that they operate to provide a 
variety of services, such as wired telephony services, including VoIP 
services, wired (cable) audio and video programming distribution, and 
wired broadband internet services. By exception, establishments 
providing satellite television distribution services using facilities 
and infrastructure that they operate are included in this industry. 
Wired Telecommunications Carriers are also referred to as wireline 
carriers or fixed local service providers.
    22. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2022 Universal Service 
Monitoring Report, as of December 31, 2021, there were 4,590 providers 
that reported they were engaged in the provision of fixed local 
services. Of these providers, the Commission estimates that 4,146 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    23. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses specifically 
applicable to local exchange services. Providers of these services 
include both incumbent and competitive local exchange service 
providers. Wired Telecommunications Carriers is the closest industry 
with an SBA small business size standard. Wired Telecommunications 
Carriers are also referred to as wireline carriers or fixed local 
service providers. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2022 Universal Service 
Monitoring Report, as of December 31, 2021, there were 4,590 providers 
that reported they were fixed local exchange service providers. Of 
these providers, the Commission estimates that 4,146 providers have 
1,500 or fewer employees. Consequently, using the SBA's small business 
size standard, most of these providers can be considered small 
entities.
    24. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the 
Commission nor the SBA have developed a small business size standard 
specifically for incumbent local exchange carriers. Wired 
Telecommunications Carriers is the closest industry with an SBA small 
business size standard. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms in this industry that operated for the entire year. Of 
this number, 2,964 firms

[[Page 86619]]

operated with fewer than 250 employees. Additionally, based on 
Commission data in the 2022 Universal Service Monitoring Report, as of 
December 31, 2021, there were 1,212 providers that reported they were 
incumbent local exchange service providers. Of these providers, the 
Commission estimates that 916 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, the 
Commission estimates that the majority of incumbent local exchange 
carriers can be considered small entities.
    25. Competitive Local Exchange Carriers (Competitive LECs). Neither 
the Commission nor the SBA has developed a size standard for small 
businesses specifically applicable to local exchange services. 
Providers of these services include several types of competitive local 
exchange service providers. Wired Telecommunications Carriers is the 
closest industry with an SBA small business size standard. The SBA 
small business size standard for Wired Telecommunications Carriers 
classifies firms having 1,500 or fewer employees as small. U.S. Census 
Bureau data for 2017 show that there were 3,054 firms that operated in 
this industry for the entire year. Of this number, 2,964 firms operated 
with fewer than 250 employees. Additionally, based on Commission data 
in the 2022 Universal Service Monitoring Report, as of December 31, 
2021, there were 3,378 providers that reported they were competitive 
local exchange service providers. Of these providers, the Commission 
estimates that 3,230 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
    26. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA have developed a small business size standard specifically for 
Interexchange Carriers. Wired Telecommunications Carriers is the 
closest industry with an SBA small business size standard. The SBA 
small business size standard for Wired Telecommunications Carriers 
classifies firms having 1,500 or fewer employees as small. U.S. Census 
Bureau data for 2017 show that there were 3,054 firms that operated in 
this industry for the entire year. Of this number, 2,964 firms operated 
with fewer than 250 employees. Additionally, based on Commission data 
in the 2022 Universal Service Monitoring Report, as of December 31, 
2021, there were 127 providers that reported they were engaged in the 
provision of interexchange services. Of these providers, the Commission 
estimates that 109 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, the 
Commission estimates that the majority of providers in this industry 
can be considered small entities.
    27. Local Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Local 
Resellers. Telecommunications Resellers is the closest industry with an 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2022 Universal 
Service Monitoring Report, as of December 31, 2021, there were 207 
providers that reported they were engaged in the provision of local 
resale services. Of these providers, the Commission estimates that 202 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    28. Toll Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Toll 
Resellers. Telecommunications Resellers is the closest industry with an 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2022 Universal 
Service Monitoring Report, as of December 31, 2021, there were 457 
providers that reported they were engaged in the provision of toll 
services. Of these providers, the Commission estimates that 438 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    29. Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
SBA size standard for this industry classifies a business as small if 
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show 
that there were 2,893 firms in this industry that operated for the 
entire year. Of that number, 2,837 firms employed fewer than 250 
employees. Additionally, based on Commission data in the 2022 Universal 
Service Monitoring Report, as of December 31, 2021, there were 594 
providers that reported they were engaged in the provision of wireless 
services. Of these providers, the Commission estimates that 511 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    30. Wireless Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Wireless 
Resellers. The closest industry with an SBA small business size 
standard is Telecommunications Resellers. The Telecommunications 
Resellers industry comprises establishments engaged in purchasing 
access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications 
and they do not operate transmission facilities and

[[Page 86620]]

infrastructure. Mobile virtual network operators (MVNOs) are included 
in this industry. Under the SBA size standard for this industry, a 
business is small if it has 1,500 or fewer employees. U.S. Census 
Bureau data for 2017 show that 1,386 firms in this industry provided 
resale services during that year. Of that number, 1,375 firms operated 
with fewer than 250 employees. Thus, for this industry under the SBA 
small business size standard, the majority of providers can be 
considered small entities.
    31. Satellite Telecommunications. This industry comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The SBA small business size standard for this 
industry classifies a business with $38.5 million or less in annual 
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms 
in this industry operated for the entire year. Of this number, 242 
firms had revenue of less than $25 million. Additionally, based on 
Commission data in the 2022 Universal Service Monitoring Report, as of 
December 31, 2021, there were 65 providers that reported they were 
engaged in the provision of satellite telecommunications services. Of 
these providers, the Commission estimates that approximately 42 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, a little more than half of these 
providers can be considered small entities.
    32. All Other Telecommunications. This industry is comprised of 
establishments primarily engaged in providing specialized 
telecommunications services, such as satellite tracking, communications 
telemetry, and radar station operation. This industry also includes 
establishments primarily engaged in providing satellite terminal 
stations and associated facilities connected with one or more 
terrestrial systems and capable of transmitting telecommunications to, 
and receiving telecommunications from, satellite systems. Providers of 
internet services (e.g. dial-up ISPs) or Voice over internet Protocol 
(VoIP) services, via client-supplied telecommunications connections are 
also included in this industry. The SBA small business size standard 
for this industry classifies firms with annual receipts of $35 million 
or less as small. U.S. Census Bureau data for 2017 show that there were 
1,079 firms in this industry that operated for the entire year. Of 
those firms, 1,039 had revenue of less than $25 million. Based on this 
data, the Commission estimates that the majority of ``All Other 
Telecommunications'' firms can be considered small.
2. Internet Service Providers
    33. Wired Broadband internet Access Service Providers (Wired ISPs). 
Providers of wired broadband internet access service include various 
types of providers except dial-up internet access providers. Wireline 
service that terminates at an end user location or mobile device and 
enables the end user to receive information from and/or send 
information to the internet at information transfer rates exceeding 200 
kilobits per second (kbps) in at least one direction is classified as a 
broadband connection under the Commission's rules. Wired broadband 
internet services fall in the Wired Telecommunications Carriers 
industry. The SBA small business size standard for this industry 
classifies firms having 1,500 or fewer employees as small. U.S. Census 
Bureau data for 2017 show that there were 3,054 firms that operated in 
this industry for the entire year. Of this number, 2,964 firms operated 
with fewer than 250 employees.
    34. Additionally, according to Commission data on internet access 
services as of December 31, 2018, nationwide there were approximately 
2,700 providers of connections over 200 kbps in at least one direction 
using various wireline technologies. The Commission does not collect 
data on the number of employees for providers of these services, 
therefore, at this time we are not able to estimate the number of 
providers that would qualify as small under the SBA's small business 
size standard. However, in light of the general data on fixed 
technology service providers in the Commission's 2022 Communications 
Marketplace Report, we believe that the majority of wireline internet 
access service providers can be considered small entities.
    35. Wireless Broadband internet Access Service Providers (Wireless 
ISPs or WISPs). Providers of wireless broadband internet access service 
include fixed and mobile wireless providers. The Commission defines a 
WISP as ``[a] company that provides end-users with wireless access to 
the internet[.]'' Wireless service that terminates at an end user 
location or mobile device and enables the end user to receive 
information from and/or send information to the internet at information 
transfer rates exceeding 200 kilobits per second (kbps) in at least one 
direction is classified as a broadband connection under the 
Commission's rules. Neither the SBA nor the Commission have developed a 
size standard specifically applicable to Wireless Broadband internet 
Access Service Providers. The closest applicable industry with an SBA 
small business size standard is Wireless Telecommunications Carriers 
(except Satellite). The SBA size standard for this industry classifies 
a business as small if it has 1,500 or fewer employees. U.S. Census 
Bureau data for 2017 show that there were 2,893 firms in this industry 
that operated for the entire year. Of that number, 2,837 firms employed 
fewer than 250 employees.
    36. Additionally, according to Commission data on internet access 
services as of December 31, 2018, nationwide there were approximately 
1,209 fixed wireless and 71 mobile wireless providers of connections 
over 200 kbps in at least one direction. The Commission does not 
collect data on the number of employees for providers of these 
services, therefore, at this time we are not able to estimate the 
number of providers that would qualify as small under the SBA's small 
business size standard. However, based on data in the Commission's 2022 
Communications Marketplace Report on the small number of large mobile 
wireless nationwide and regional facilities-based providers, the dozens 
of small regional facilities-based providers and the number of wireless 
mobile virtual network providers in general, as well as on terrestrial 
fixed wireless broadband providers in general, we believe that the 
majority of wireless internet access service providers can be 
considered small entities.
    37. Internet Service Providers (Non-Broadband). Internet access 
service providers using client-supplied telecommunications connections 
(e.g., dial-up ISPs) as well as VoIP service providers using client-
supplied telecommunications connections fall in the industry 
classification of All Other Telecommunications. The SBA small business 
size standard for this industry classifies firms with annual receipts 
of $35 million or less as small. For this industry, U.S. Census Bureau 
data for 2017 show that there were 1,079 firms in this industry that 
operated for the entire year. Of those firms, 1,039 had revenue of less 
than $25 million. Consequently, under the SBA size standard a majority 
of firms in this industry can be considered small.

[[Page 86621]]

D. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    38. In this FNPRM, we seek comment on whether to harmonize the 
existing requirements governing customer access to CPNI with the SIM 
change authentication and protection measures adopted in the Report and 
Order, and if so, the extent to which the rules should be harmonized. 
We tentatively conclude that harmonized authentication and protection 
requirements will be easier for wireless providers to implement and 
therefore will reduce costs and burdens on carriers, including small 
carriers. Recognizing that there may be other efforts within the 
government to tackle SIM swap and port-out fraud to address the broader 
implications of these harmful practices, the FNPRM also seeks comment 
on information about those other efforts and what steps the Commission 
can take to harmonize government efforts to address SIM swap and port-
out fraud.
    39. Should the Commission decide to modify existing rules or adopt 
new rules to harmonize its existing CPNI rules with rules to protect 
customers from SIM swap fraud, such action could potentially result in 
increased, reduced, or otherwise modified recordkeeping, reporting, or 
other compliance requirements for affected providers of service. 
Likewise, should the Commission decide to adopt rules requiring 
notification of a failed authentication attempt, such action could 
potentially result in increased, reduced, or otherwise modified 
recordkeeping, reporting, or other compliance requirements. We seek 
comment on the effect of any proposals on small entities. Entities, 
especially small businesses, are encouraged to quantify the costs and 
benefits of any reporting, recordkeeping, or compliance requirement 
that may be established in this proceeding. We anticipate the 
information we receive in comments including, where requested, cost and 
benefit analyses, will help the Commission identify and evaluate 
relevant compliance matters for small entities, including compliance 
costs and other burdens that may result from the proposals and 
inquiries we make in the FNPRM.

E. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    40. The RFA requires an agency to describe any significant, 
specifically small business, alternatives that it has considered in 
reaching its proposed approach, which may include the following four 
alternatives (among others): ``(1) the establishment of differing 
compliance or reporting requirements or timetables that take into 
account the resources available to small entities; (2) the 
clarification, consolidation, or simplification of compliance and 
reporting requirements under the rule for such small entities; (3) the 
use of performance rather than design standards; and (4) an exemption 
from coverage of the rule, or any part thereof, for such small 
entities.''
    41. In this FNPRM, we seek comment on whether we should harmonize 
the existing requirements governing customer access to CPNI with the 
SIM change authentication and protection measures adopted in the Report 
and Order, and if so, the extent to which the rules should be 
harmonized. Among the justifications on which we seek comment are 
whether inconsistent rules are more burdensome on carriers and whether 
carriers need flexibility to implement more secure authentication 
measures. We also tentatively conclude that harmonized authentication 
and protection requirements will be easier for wireless providers to 
implement and therefore will reduce costs and burdens on carriers. In 
considering additional alternatives, we also ask whether it would it be 
costly and burdensome for carriers to adjust the CPNI authentication 
and protection practices they have already implemented to comply with 
the authentication requirements adopted in the Report and Order, and 
whether there are other reasons harmonized rules could increase the 
costs or burdens on carriers, including small carriers. Regarding 
notification to customers of failed authentication attempts, the FNPRM 
seeks comment whether the Commission should require immediate 
notification by all telecommunications carriers or only wireless 
providers. The FNPRM also asks whether providers should be required to 
notify customers immediately of all failed authentication attempts, or 
whether instead to permit carriers to employ reasonable risk assessment 
techniques to determine when failed authentication attempts require 
customer notification, or require notification only in instances of 
multiple failed attempts or when there is reasonable suspicion of 
fraud. The Commission expects to consider the economic impact on small 
entities, as identified in comments filed in response to the FNPRM and 
this IRFA, in reaching its final conclusions and taking action in this 
proceeding.

F. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    42. None.

Paperwork Reduction Act of 1995 Analysis

    This document contains new or modified information collection 
requirements. The Commission, as part of its continuing effort to 
reduce paperwork burdens, invites the general public to comment on the 
information collection requirements contained in this Report and Order 
as required by the Paperwork Reduction Act of 1995, Public Law 104-13. 
In addition, the Commission notes that pursuant to the Small Business 
Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 
3506(c)(4), we previously sought specific comment on how the Commission 
might further reduce the information collection burden for small 
business concerns with fewer than 25 employees.

II. Ordering Clauses

    43. Accordingly, it is ordered that, that pursuant to the authority 
contained in sections 1, 2, 4, 201, 222, 251, 303, and 332 of the 
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154, 201, 
222, 251, 303, and 332, this Further Notice of Proposed Rulemaking in 
WC Docket No. 21-341 is adopted.
    44. It is further ordered that the Commission's Office of the 
Secretary, Reference Information Center, shall send a copy of this 
Further Notice of Proposed Rulemaking, including the Initial Regulatory 
Flexibility Analysis, to the Chief Counsel for Advocacy of the Small 
Business Administration.

Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-26701 Filed 12-13-23; 8:45 am]
BILLING CODE 6712-01-P