FCC robocall KYC could raise SIM-swap risks for crypto

On May 26 the Federal Communications Commission proposed a rule that would require originating voice providers to collect customer names, physical addresses, government-issued ID numbers, alternate telephone numbers and supporting verification records, and to retain those records for four years after the customer relationship ends. The proposal is published under CG Docket Nos. 17-59 and 02-278 and sets a $2,500 per-call base forfeiture for Know-Your-Customer violations. The FCC is accepting public comment through June 25.

The proposal would apply to new and renewing customers and asks whether requirements should also cover prepaid SIM cards and postpaid accounts. For high-volume customers the agency asked for intended use of service and associated IP addresses.

The FCC wrote that originating carriers are best placed to block abusive traffic before it enters the network and framed the proposal around financial losses from illegal robocall fraud.

Phone numbers already serve as a recovery and authentication method for email providers, cryptocurrency exchanges, fintech apps and customer-support verification. Security experts and prosecutors note that attaching more identity data to those numbers can increase the value of the accounts to attackers and raise the impact of a carrier breach or a social-engineering attack.

A Department of Justice civil forfeiture action filed in September 2025 described SIM-swap attacks that led to losses of more than $5 million in Bitcoin. The FBI’s Internet Crime Complaint Center recorded 1,611 SIM-swap complaints in 2021 with adjusted losses above $68 million, up from 320 complaints and about $12 million in losses across the prior three years combined.

In January 2024 an unauthorized party who had gained control of the phone number tied to the U.S. Securities and Exchange Commission’s social account reset the account password and posted a false announcement about approval of a spot Bitcoin ETF before the agency corrected the record.

Bitcoin security researcher Jameson Lopp has written that phone service without identity ties can serve as a security measure for people believed to hold large crypto positions, because identity-linked phone accounts raise the risk of extortion, swatting and physical attacks. Lopp maintains a public catalog of physical incidents involving crypto holders.

The FCC asked whether expanded collection creates privacy risks and whether carriers should face additional security requirements to protect the data. The final rule will determine whether the KYC requirement applies only to high-volume commercial originators or also to ordinary retail customers and prepaid SIMs, which will affect how broadly carrier records link phone numbers to names, addresses, ID numbers and service history.

Public comments close June 25; the final rule will set the scope of the requirement and the enforcement tools available to the agency.