Disagreements Continue on Need for Tougher SIM Swapping Rules
Public interest and consumer groups urged the FCC take a more aggressive stance on a November Further NPRM about protecting consumers from SIM swapping and port-out fraud (see 2311150042). CTIA said the commission should “pursue a flexible and risk-based approach” toward customer account security and fraud deterrence. Reply comments were due this week in docket 21-341, and they largely mirror initial comments (see 2401180053).
“We are hopeful that the Commission’s new requirement that carriers evaluate the effectiveness of their authentication methods every year might eventually improve cybersecurity practices to the benefit of consumers,” said a filing by the National Consumer Law Center (NCLC) and other groups: “We are not persuaded that, absent clear liability for failing to adopt effective measures, carriers will succeed in eliminating SIM swap and port-out fraud.” Also signing the filing was the Electronic Privacy Information Center, Consumer Action, the Consumer Federation of America, the National Association of Consumer Advocates, the National Consumers League, Public Knowledge and the U.S. Public Interest Research Group.
The FCC must clarify that carriers, “the only parties in these frauds with the means to protect consumers from losses, are liable in SIM swap and port-out fraud cases,” said Margot Saunders, NCLC senior attorney: “The threat of individual, occasional enforcement actions from the Commission is not sufficient to compel carriers to protect consumers. Otherwise, these problems would not be so severe today.”
NCLC said SIM swap fraud raises special concerns. “There are few precautions consumers can take on their own, and it subverts what is intended to be a security mechanism,” the group said.
CTIA urged the FCC not to pursue “broader or more prescriptive” SIM swap rules. Wireless carriers already deploy “robust tools and methods to protect customers from SIM swap fraud,” CTIA said. Providers also need flexibility and time for implementing new SIM swap rules “so now is not the time to add to or change these new rules,” the group said.
The Federal Arbitration Act also prohibits the agency from restricting wireless provider arbitration clauses in subscriber agreements, CTIA said: “Even if the FCC had authority to regulate provider arbitration clauses -- which it does not -- the record makes clear that consumers would not benefit from such restrictions.” CTIA also questioned the FCC’s authority over customer proprietary information under the Communications Act.
USTelecom said that, like others commenters, it supports eliminating prescriptive authentication rules in favor of flexibility. “This flexibility will allow providers to implement new authentication processes in ways that best suits their customers, including by taking into account considerations such as digital literacy and accessibility,” USTelecom said: “It will also ensure that providers can quickly adapt their methods if new threats emerge.”
Oppositions were also due this week to a CTIA petition seeking a 12-month extension (see 2401090026) to the FCC's current six-month deadline for carriers to implement rules protecting consumers from SIM swapping and port-out fraud.
NCTA supported the extension. “In addition to the complex systems work that will be required to comply with these new requirements, companies also will have to undertake significant employee training efforts,” it said. In addition, NCTA noted that commissioners adopted rules implementing the Safe Connections Act at the same meeting they approved the SIM swapping order and FNPRM. That will also require “development of many new systems and procedures.” Many of the Safe Connections Act requirements “operate as exceptions to the rules adopted” on SIM swapping, “which creates additional complexity, thereby warranting additional time for implementation,” NCTA said.