The Federal Communications Commission (FCC) is turning up the heat on illegal robocalls. Moving beyond general policy commitments, the Commission is shifting toward a strict, prescriptive regime focused on aggressive verification, monitoring, and proactive enforcement.

At its May 20, 2026 Open Meeting, the FCC is considering a major draft proposal (FNPRM) aimed squarely at the “bad actors” enabling unlawful traffic. Following on the heels of the recent “Know-Your-Customer” (KYC) rules, this new initiative focuses heavily on “Know-Your-Upstream-Provider” (KYUP) obligations and massive upgrades to the STIR/SHAKEN framework.

Here is a quick breakdown of the five major changes on the horizon and how voice service providers can prepare.

5 Key Pillars of the New Proposal

1. Expanded KYUP Requirements: Current rules require “reasonable and effective” steps to block unlawful traffic. The new proposal mandates active, ongoing vetting. Providers must collect, verify, and monitor upstream providers’ business data and traffic patterns, and swiftly terminate relationships with high-risk actors.

2. Enhanced STIR/SHAKEN Oversight: To lock bad actors out of the authentication ecosystem, the FCC plans to tighten controls over token issuance, certification authorities, and enforcement procedures.

3. Higher Attestation Standards: The proposal formally codifies the A-, B-, and C-level attestation framework with explicit definitions. Crucially, it bans “improper attestations” where a provider overstates their knowledge of a caller’s identity.

4. Closing Authentication Gaps: The FCC wants to eliminate remaining STIR/SHAKEN hardship extensions, prohibit intentional routing that strips authentication data, and require intermediate providers to authenticate unauthenticated calls.

5. Cracking Down on Foreign Traffic: Expect heightened scrutiny and tighter safeguards on international call paths and gateway providers to block illegal foreign-originated traffic from entering U.S. networks.

KYC vs. KYUP: The Dual-Compliance Reality

If adopted, providers will need to manage two parallel compliance tracks:

1. KYC (Know Your Customer): Vetting end-user customers before service activation.
2. KYUP (Know Your Upstream Provider): Vetting and monitoring the carriers, wholesalers, and resellers handing off traffic to your network.

Conclusion: In future enforcement investigations, the FCC is highly likely to evaluate your onboarding, contracts, analytics, and attestation practices as a single, unified workflow. 

How Providers Can Prepare Now

While these rules aren’t final, they will launch a major comment cycle that impacts everyone from originating providers and VoIP resellers to enterprise voice platforms. Smart providers should audit their systems today:

• Identify and map all upstream providers sending traffic to your network.
• Compare your current onboarding and vetting processes against the FCC’s proposed baseline.
• Review third-party signing relationships to ensure your company maintains ultimate control over attestation decisions.
• Establish clear escalation and termination protocols for high-risk upstream partners.

A recent decision from the Fifth Circuit Court of Appeals may significantly reshape how “prior express consent” is interpreted under the Telephone Consumer Protection Act (TCPA). In Bradford v. Sovereign Pest Control of Texas, Inc.(Feb. 25, 2026), the court held that a consumer who gives a business their cellphone number effectively consents to receive prerecorded calls and text messages related to that relationship. The ruling affirms a lower court’s decision that a pest control company did not violate the TCPA when it used prerecorded messages to remind a customer about renewal inspections.

The plaintiff, Radley Bradford, enrolled in a service plan and provided his cellphone number as part of the agreement. Sovereign Pest Control later sent him prerecorded reminders to schedule inspections, which he followed through on multiple times. Despite renewing his plan year after year, Bradford eventually filed a class action lawsuit, arguing that the company needed his “prior express written consent,” as defined by the Federal Communications Commission (FCC), to make such calls.

The Fifth Circuit rejected that argument. It emphasized that the TCPA itself requires only “prior express consent,” not “prior express written consent,” unless additional requirements are imposed by the FCC. Importantly, the court declined to defer to FCC interpretations and instead focused on the statutory text. It concluded that “express consent” may be either oral or written—and that voluntarily providing a phone number for contact satisfies that standard.

The court also pointed to the parties’ ongoing relationship. Bradford not only supplied his number but repeatedly renewed his service plan and never objected to the communications. This pattern, the court found, reinforced the conclusion that he consented to receive messages related to the services he continued to request.

This decision diverges from approaches taken in other circuits, such as the Ninth Circuit, where courts more heavily rely on FCC rules requiring a higher level of consent. By rejecting those interpretations, the Fifth Circuit adopts a more text-focused—and generally more business-friendly—approach to the TCPA.

The court’s reasoning reflects a broader shift in administrative law following recent Supreme Court decisions that have curtailed the doctrine known as “Chevron deference.” Historically, courts often deferred to agency interpretations when statutes were unclear. Now, courts are increasingly interpreting statutory language independently, treating agency guidance as persuasive rather than binding. As a result, longstanding FCC orders—such as those issued in 1992 and 2012—carry less authoritative weight, paving the way for rulings like Bradford.

Conclusion:

For businesses that use prerecorded calls or text messages for appointment reminders, scheduling, or service updates, this decision provides important guidance. In the Fifth Circuit, a customer’s act of providing a cellphone number in the context of a transaction or service relationship will generally qualify as “prior express consent” under the TCPA. Written consent is no longer required in most cases—unless the communication involves telemarketing.

Decision Issued: February 25, 2026

The U.S. Court of Appeals for the Fifth Circuit ruled that the TCPA does not require written consent for automated or prerecorded calls.

In Bradford v. Sovereign Pest Control of TX, Inc., the court held that the statute requires only prior express consent, which may be provided orally or in writing. The TCPA does not distinguish between telemarketing and informational calls.

The court rejected the FCC’s long-standing prior express written consent rule, relying on recent Supreme Court decisions limiting judicial deference to agency interpretations.

Within the Fifth Circuit, the FCC’s written-consent requirement for telemarketing robocalls no longer applies.

Enforcement Risk

Companies should not change TCPA compliance programs yet.

Key risks include:

• The decision applies only within the Fifth Circuit
• Other federal circuits may continue enforcing FCC written-consent rules
• A circuit split could emerge
• TCPA lawsuits will continue to focus on whether prior express consent actually existed
• Juries may still determine consent disputes when documentation is unclear

Inconsistent consent documentation remains a major litigation risk.

Strategic Compliance Actions

Maintain conservative TCPA compliance practices while monitoring legal developments.

• Continue obtaining written consent where possible
• Maintain clear records of consent capture
• Audit consent workflows across marketing platforms
• Review vendor and lead-generation consent language
• Monitor emerging litigation in other circuits
• Prepare for potential regulatory or judicial changes to TCPA interpretation

This ruling signals a broader shift in how courts may evaluate FCC regulations after Loper Bright. Additional challenges to the TCPA regulatory framework are likely.

Deadline: March 1, 2026

The FCC now requires every registered voice service provider to complete annual RMD recertification.

Enforcement Risk

Failure to comply can result in:

• Immediate removal from the RMD
• Mandatory traffic blocking by other carriers
• $10,000 per violation for false or misleading statements
• $1,000 per violation for failing to update within 10 business days
• Formal FCC investigations
• Months-long reinstatement delays

Removal from the RMD can create an operational blackout scenario.

Strategic Compliance Actions

• Audit your existing RMD filing for accuracy
• Confirm mitigation plan alignment with network operations
• Update corporate identifiers and contact information
• Designate and secure MFA portal access
• Coordinate legal and technical teams
• Submit before the deadline

This is not a formality. It is a sworn representation to federal regulators.

Deadline: March 3, 2026

All telecommunications carriers and interconnected VoIP providers must submit their Annual Customer Proprietary Network Information (CPNI) Certification.

Even if you do not actively use or share CPNI, the filing requirement still applies.

What Is at Risk?

• Civil penalties up to $251,322 per day, per violation
• Maximum fines exceeding $2.5 million
• Criminal liability for false statements
• Increased scrutiny from the FCC Enforcement Bureau

CPNI certifications must include:

• Officer signature under penalty of perjury
• Written compliance narrative
• Disclosure of breaches, complaints, or enforcement matters
• Data broker compliance statement

Improperly drafted certifications can create liability exposure.