What the FCC KYUP FNPRM Means for Agency Outbound Dialers
The FCC May 2026 KYUP FNPRM codifies STIR/SHAKEN attestation into law and rewrites upstream provider vetting rules. What insurance dialer teams need to know.

TL;DR
The FCC's KYUP FNPRM (FCC-26-32, adopted May 20, 2026) replaces the current one-paragraph "reasonable and effective steps" standard with five prescriptive baseline compliance categories that every voice service provider must document, verify, and maintain. It also codifies STIR/SHAKEN A, B, and C attestation levels into FCC rules for the first time and makes improper attestation an independently enforceable violation. Insurance agencies are not direct regulatory targets, but every outbound call they place flows through a provider who is. If that provider gets downgraded, blocked, or removed from the Robocall Mitigation Database, the agency's contact rates collapse. The operational playbook for agencies is simple: audit your provider relationships now, demand A-level attestation in your carrier agreements, and register your outbound numbers with the major caller ID reputation registries before the rules tighten further.
What exactly did the FCC propose in the May 2026 KYUP FNPRM?
On May 20, 2026, the Federal Communications Commission adopted a Further Notice of Proposed Rulemaking (FCC-26-32) that rewrites the Know Your Upstream Provider (KYUP) obligation from a single paragraph of principle into five mandatory baseline compliance categories that apply to every voice service provider (VSP) in the United States[fcc-fnprm]. The proposal lands in dockets WC No. 17-97 (Call Authentication Trust Anchor) and CG No. 17-59 (Advanced Methods to Target and Eliminate Unlawful Robocalls), with comments due 30 days after Federal Register publication and replies 60 days after[dwt-analysis].
The five baseline categories the FNPRM proposes are:
-
Information Collection: VSPs must gather corporate identity records, ownership structures including beneficial owners, operational and formation documents, financial and billing information, online presence data, and details about the upstream provider's services and customer base before establishing or renewing any service relationship[dwt-analysis].
-
Compliance Review: VSPs must verify that every upstream provider maintains an active Robocall Mitigation Database (RMD) filing, holds a valid SPC token if claiming STIR/SHAKEN implementation, has no recent FCC enforcement actions or license revocations, and does not appear on national security related lists such as the Covered List or Foreign Adversary Control System[dwt-analysis].
-
Information Verification: VSPs must confirm contact information is valid, speak directly with company principals, review websites and public records, and investigate inconsistencies in ownership or operational claims. The FCC also suggests cross-referencing information across providers to detect shell entities or replacement companies created by sanctioned actors[dwt-analysis].
-
Monitoring: VSPs must conduct ongoing periodic checks of upstream provider regulatory status, use call analytics to detect suspicious traffic patterns, review traceback information and enforcement developments, and evaluate new information suggesting improper authentication or suspicious call origination[dwt-analysis].
-
Responsive Action: VSPs must refuse or discontinue service when they lack an objectively reasonable basis to conclude the upstream provider is legitimate, when evidence suggests illegal call transmission, when required regulatory filings or authentication credentials are missing, or when the upstream provider refuses to cooperate with traceback requests[natlawreview].
This is a material shift from the FCC's prior principles-based approach. Under the current rule, providers must take "reasonable and effective steps" to ensure upstream providers are not transmitting large volumes of illegal calls. The FNPRM replaces that language with "affirmative, effective measures" to prevent any illegal calls, not merely high volumes[natlawreview].
How does the KYUP FNPRM change STIR/SHAKEN attestation for outbound calls?
Until now, the STIR/SHAKEN attestation framework lived exclusively in the ATIS caller-ID authentication technical standard. The A, B, and C attestation levels defined in that standard were industry convention, not enforceable FCC law. The KYUP FNPRM proposes to codify all three levels into the Commission's rules, which means improper attestation becomes a standalone regulatory violation[leadgen-economy].
Under the proposed codification, A-level (Full Attestation) requires the originating provider to both know the customer directly and verify the customer's right to use the calling number. B-level (Partial Attestation) still requires direct customer knowledge but releases the provider from verifying the calling number, which covers enterprise PBX customers using direct inward dialing pools. C-level (Gateway Attestation) applies when no direct authenticated customer relationship exists, which is the default for resold or wholesale traffic[leadgen-economy].
The operational implication for outbound dialers is direct: a VSP that has not verified the agency's corporate identity, traffic mix, and consent posture cannot lawfully assign A-level attestation. An agency that ports DIDs the VSP cannot trace to a number-assignment record will not get the right-to-use check needed for A-level either. Both gaps push the call into B-level or lower, which downstream analytics engines treat as elevated risk and terminating providers can label, block, or annotate[leadgen-economy].
The FNPRM also proposes to repeal the last remaining undue-hardship STIR/SHAKEN implementation extensions. Every provider with any remaining extension is now on notice[end-of-extensions].
Will the FCC KYUP proposal affect my insurance agency's dialer deliverability?
Yes. And the mechanism is not direct regulation: it is attestation chain risk.
Insurance agencies are not VSPs. They do not file in the RMD, do not hold SPC tokens, and are not listed as regulated entities in the KYUP FNPRM[leadgen-economy]. But every outbound call an agency places travels through an upstream carrier, and that carrier sits squarely under the new rules. The FNPRM's enhanced KYC posture forces the agency's carrier to underwrite the agency itself[leadgen-economy].
Here is the chain reaction the KYUP FNPRM sets in motion:
- The agency's dialer platform or VoIP provider faces new mandatory KYUP documentation and verification requirements for every upstream relationship in its call path[dwt-analysis].
- If the dialer provider cannot document compliance, its own attestation level drops. C-level attestation is already treated as high-risk by major US carriers, including AT&T, Verizon, and T-Mobile, who are aggressively filtering calls based on STIR/SHAKEN attestation in 2026[telcobridges].
- When attestation drops, terminating carriers apply spam labels or block the call entirely. 86% of calls from unknown numbers already go unanswered, and US consumers receive an average of 10 spam calls per week. A B-level or C-level attestation in this environment means your call never rings.
- If the upstream provider is removed from the RMD entirely, all traffic from that provider is blocked from US networks, effective immediately. In August 2025, the FCC removed 185 providers from the RMD in a single enforcement action, then removed more than 1,200 additional providers later the same month.
The math is straightforward. May 2026 saw 4.1 billion robocalls placed in the United States, averaging 12.5 calls per person. Carrier filtering is not getting looser. The KYUP FNPRM adds another compliance layer that will accelerate carrier scrutiny of every hop in the call path.
What happens to agencies whose upstream provider loses its RMD certification?
When a VSP is removed from the Robocall Mitigation Database, the FCC orders all other providers to block traffic from that entity. The removal is immediate, and the blocked provider cannot refile without approval from both the Enforcement Bureau and the Wireline Competition Bureau. There is no grace period, no transitional routing, and no workaround through a different carrier because the block applies at the network level.
For an insurance agency whose dialer or VoIP provider gets RMD-removed, the result is total call delivery failure. Every outbound line goes silent on the same day. Porting phone numbers to a new provider under emergency conditions takes days to weeks and can lose number history, warm-up status, and caller ID reputation. This is not a theoretical risk. The scale of the August 2025 removals, over 1,400 providers in a single month, proved the FCC will use the RMD as an enforcement gate and will not carve out exceptions for downstream customers[telcobridges].
Agencies should treat RMD certification status as a vendor risk metric with the same weight as E&O coverage or data security. If your dialer provider cannot produce a current RMD certification and confirmation of A-level attestation capability, you are one enforcement action away from a dead dialer. For additional background on how the RMD operates and why certification matters, see our FCC Robocall Mitigation Database guide.
What questions do agents ask most about the KYUP FNPRM and outbound dialing?
Does the KYUP FNPRM apply to insurance agencies directly?
No. The FNPRM regulates voice service providers, not end users of voice services. Insurance agencies are not required to file in the RMD, obtain SPC tokens, or document KYUP compliance directly[leadgen-economy]. However, the downstream effect is real: agencies inherit the compliance posture of every carrier in their call path. If your dialer provider or its upstream VoIP carrier cannot meet the new KYUP baseline, your calls will carry lower attestation and face higher filtering.
How quickly could attestation changes affect my contact rates?
Carrier filtering based on attestation level is already active. Major US carriers began aggressive STIR/SHAKEN-based filtering in 2025 and have expanded it through 2026[telcobridges]. A downgrade from A-level to B-level or C-level can change contact rates within the same billing cycle. There is no regulatory lag between attestation change and filtering effect: carriers apply their analytics engines in near real time.
What should I ask my dialer or VoIP provider right now?
Three questions. First: "What is the current STIR/SHAKEN attestation level on our outbound calls?" The answer must be A-level. Second: "Can you provide your current Robocall Mitigation Database certification and the certification status of every upstream provider in our call path?" If the answer is no or the provider cannot name every hop, you have a KYUP exposure. Third: "Does your service agreement include an attestation-level SLA and a remedy if our calls are downgraded or blocked?" Without contractual recourse, the agency carries all the risk.
Is there a compliance deadline agencies should track?
The KYUP FNPRM is a proposed rule, not a final order. Comments are due 30 days after Federal Register publication, with replies 60 days after[dwt-analysis]. A final rule could arrive in late 2026 or early 2027, with compliance deadlines typically 6 to 12 months after publication. The window to influence the rule is now. The window to prepare operationally is now. For a deeper look at how attestation levels function in practice, see our STIR/SHAKEN attestation levels guide.
What should agency principals do before the comment window closes?
Four operational steps, all actionable this quarter.
First, audit your carrier relationships. Request current RMD certifications from every voice provider in your call path, including your dialer platform, your SIP trunk provider, and any intermediate carriers. Map the full chain. If any provider cannot produce documentation, start a contingency migration plan. Number portability takes time, and rotating DIDs safely requires warm-up cycles that do not happen overnight.
Second, negotiate attestation-level guarantees into your carrier agreements. The KYUP FNPRM makes improper attestation an enforceable violation[leadgen-economy], which gives agencies leverage: carriers now face FCC penalties for assigning incorrect attestation levels, so a contractual SLA that demands A-level attestation is aligned with regulatory incentives rather than working against them.
Third, register your outbound numbers with the three major caller ID reputation registries: Hiya, First Orion, and TNS. 73% of consumers say businesses should identify themselves with caller ID. Registration does not guarantee clean delivery, but an unregistered number in a tightening attestation environment is a compounding disadvantage.
Fourth, monitor the proceeding. The KYUP FNPRM docket is WC No. 17-97. The FCC's Electronic Comment Filing System (ECFS) accepts comments from any interested party, not just regulated entities. Agency trade associations, including the Independent Insurance Agents and Brokers of America (Big I) and the National Association of Professional Insurance Agents (PIA), should be tracking this rulemaking. If your association is not, ask them why.
The FCC's direction of travel is unambiguous. The current administration has issued the KYUP FNPRM, the KYC FNPRM for end-user customer vetting, and the Ninth FNPRM on foreign-originated calls and caller identity, all in the first half of 2026[gryphon]. Each proceeding tightens a different link in the call authentication chain. Agencies that treat these as carrier problems and wait for someone else to solve them will wake up one morning to a silent dialer and a carrier that cannot route their calls. The time to act is now, while the rules are still being written.
Where did the compliance data in this post come from?
- FCC Further Notice of Proposed Rulemaking FCC-26-32, adopted May 20, 2026
- FCC News Release: FCC Proposes Enhanced Know-Your-Upstream-Provider Requirements, May 20, 2026
- Davis Wright Tremaine: FCC Proposes Expanded KYUP Rules, Enhanced STIR/SHAKEN Standards for Voice Providers, June 2026
- National Law Review / Womble Bond Dickinson: FCC's KYUP FNPRM Signals a Further Shift Toward Prescriptive Robocall Compliance Obligations, June 2026
- LeadGen Economy: FCC STIR/SHAKEN KYUP FNPRM: What Lead-Gen Call Centers and Outbound Platforms Inherit, June 2026
- Gryphon AI: Regulatory Report June 2026
- Hiya: Eroding Trust Is Crippling the Voice Channel (State of the Call 2026)
- YouMail Robocall Index, May 2026
- TelcoBridges: FCC STIR/SHAKEN Compliance for Small VoIP Providers, 2026