Wireless companies want another year for SIM swap compliance

Top US wireless providers continue to push regulators for more time to comply with new rules designed to prevent phone-based scams and fraud.

"The current six-month implementation timeline does not give providers adequate time to implement effective and comprehensive compliance programs for the new, complex rules," wrote a group of wireless trade associations and companies, including CTIA, CCA, NCTA, Verizon, T-Mobile, Charter Communications and AT&T. "And moreover, the current timeframe by which order-compliant processes and systems must be developed and deployed is unclear."

In their new filing with the FCC, the companies argued that the agency's compliance date – July 8, 2024 – does not give wireless providers enough time to upgrade their systems to meet the FCC's new rules.

In their filing, the associations highlighted the work they'll need to do to meet the FCC's new rules:

"A provider would typically prepare a requirements document incorporating elements from the [FCC's] Order and have it reviewed by various business units to assess impact on their focus area, allowing for feedback and strategic planning," according to the filing. "The provider needs to have its architecture team develop a high-level solution and often engaging a third-party vendor to develop a written proposal detailing the solution and associated costs. This stage often involves extensive discussions over weeks, engaging both business teams and developers, culminating in the finalization of the solution and its cost. And different business units (e.g., postpaid versus prepaid) often have different systems that require different solutions. Providers may have separate provisioning and care systems and different methods of communication with different categories of subscribers (e.g., prepaid versus postpaid). Providers also cannot easily replicate processes, like customer notices, currently applied to a limited subset of customers and apply them to all customers. In all cases, the provider will need to perform testing and plan for when any software update can be reliably deployed based on preplanned existing update cycles, which are set to minimize the number of operational disruptions to the system."

In general, they argued that they won't be able to complete that work before the July 8 compliance deadline.

Protecting consumers

"We take these steps to improve consumer privacy and put an end to SIM scams," said FCC Chairwoman Jessica Rosenworcel in a statement late last year, after the agency voted to enact rules to curtail SIM fraud. "Because we know our phones know a lot about us. They are an entry to our records, our accounts, and so much that we value. That is why across the board we need policies that make sure our information is secure."

The FCC in October approved new rules designed to stifle SIM swap and port-out fraud. Broadly, the rules would establish a uniform framework across the mobile wireless industry for protecting customers. Specifically, the rules require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device or provider, and they would require that providers keep records of SIM change requests and the authentication measures they use. The rules would also adopt processes for responding to failed authentication attempts, institute employee training for handling SIM swap and port-out fraud, and establish safeguards to prevent employees from accessing customers' personal information until after that customer has been authenticated.

According to the FCC's chairwoman, the need for such rules is clear. "The Federal Bureau of Investigation reports SIM-swapping scams are on the rise. But they are not alone. Because we see it here, too. At the Federal Communications Commission we are getting more and more complaints from consumers who have suffered losses due to SIM-swapping fraud," Rosenworcel said.

Indeed, a telecom store manager in New Jersey recently pled guilty to participating in a SIM-swapping operation that netted him $5,000 in Bitcoin payments from five different victims.

Complaints and concerns

Shortly after the FCC passed its new rules, CTIA issued an official request for a partial reconsideration of the rules. "While the wireless industry appreciates the steps the [FCC] Order takes to promote a flexible and risk-based approach to the new SIM Swap and Number Porting Rules, CTIA seeks a targeted revision to the Order to ensure that providers have adequate time to develop the comprehensive systems and processes needed to implement the new rules and best serve the Commission's and industry's shared goals," the association wrote.

CTIA is the primary trade association representing wireless network operators like AT&T and T-Mobile.

And now, CTIA's pushback is gathering steam across additional companies and associations. In the new filing, CTIA is joined by NCTA (which represents cable operators and other companies) and CCA (which represents many smaller wireless network operators).

The groups and companies also called out several other concerns about the FCC's new rules. For example, they argued that it's not clear how these new rules will work with the FCC's new Safe Connections Act Order, which is designed to protect survivors of domestic abuse. "For example, providers need to design account locks so that they can be overridden in the event of a line separation request by a domestic violence survivor, and to ensure that automated notices of SCA-related transactions are not prematurely transmitted to an abuser," according to the filing.

The associations also complained that the FCC initially said the deadline for SIM swapping compliance was June 8, 2024, but later the agency changed that to July 8. That caused "considerable confusion," according to the associations.