FCC’s KYC Telecom Rule Puts SIM-Swap Crypto Victims at Greater Risk

The FCC wants telecoms to collect a lot more data on you. Names, addresses, government IDs — the works. And for crypto holders, that’s a problem worth paying attention to right now.

The proposal, filed under CG Docket Nos. 17-59 and 02-278 on May 26, asks voice service providers to gather extensive customer information as part of a push to cut down on illegal robocalls, which drain Americans of billions every year. Carriers would have to hold onto that data for four years after a customer relationship ends. Non-compliance carries a $2,500 penalty per call. Public comments close June 25, so the window to weigh in is pretty much shut.

SIM-Swap Attacks Are Already Expensive

Here’s the part that should worry anyone holding crypto. Phone numbers sit at the center of most account recovery and two-factor authentication systems. If your phone number gets hijacked — that’s a SIM-swap attack, where a fraudster convinces a carrier to redirect your number to their device — attackers can walk straight into your exchange accounts, your wallets, your email. It’s fast, it’s hard to stop in real time, and it’s already happening at scale.

In 2021 alone, there were 1,611 complaints of SIM-swapping filed with authorities, and losses that year topped $68 million. That’s up from $12 million over the prior three years combined. The jump is steep. And that’s before the FCC potentially makes phone accounts far richer targets by tying them to detailed personal records.

The logic isn’t complicated. Right now, some phone accounts — especially prepaid — carry minimal identity data. Attackers targeting those accounts get a phone number. Under the proposed rule, they’d potentially get a phone number plus a name, a home address, and a government ID number. That’s a full social engineering package. Carriers themselves have had breaches. Vendors have had breaches. More data stored longer means more exposure when something goes wrong.

The FCC’s proposal also asks carriers to collect IP addresses for high-volume users. That adds another layer of potentially sensitive information sitting in telecom databases.

Who Gets Covered — and Who Doesn’t

One of the biggest unresolved questions in the proposal is scope. The FCC hasn’t decided whether KYC requirements will apply to all customers or only to commercial originators — meaning businesses that generate large call volumes.

That distinction matters enormously. If the rule targets only commercial originators, most individual users probably won’t feel much change. But if the FCC extends requirements to all customers, including retail and prepaid accounts, it’s basically the end of pseudonymous phone access in the US. For crypto holders who’ve deliberately used prepaid or low-KYC phone services as a privacy layer — specifically because their threat model includes targeted attacks, extortion, or physical risk tied to known crypto wealth — that’s a serious shift.

Read also: WhiteBIT Grabs MiCA License in Austria Ahead of the EUs July 1 Crypto Deadline

The FCC is explicitly asking whether prepaid SIM cards and retail customers should face the same requirements as high-volume users. No answer yet. The final call on that question will shape whether this rule is mostly a robocall-fighting tool or becomes a new attack surface for the crypto community.

Not really a minor footnote. The prepaid question is arguably the whole ballgame for privacy-conscious users.

Privacy Gaps the FCC Hasn’t Answered

What’s striking about the proposal is what it doesn’t address. There’s no clear framework in the current text for how carriers must protect the data they collect. The FCC acknowledges — and it’s worth being direct about this — that existing industry protections may not be sufficient. The agency is asking whether additional security measures are needed. That’s an open question, not a solved one.

So the FCC is proposing to dramatically expand the personal data footprint of every phone account, while simultaneously admitting it’s unclear whether current safeguards are up to the job. For anyone whose phone number is also the key to a crypto portfolio, that gap is uncomfortable.

Social engineering attacks don’t require a technical breach. An attacker who already knows your name, carrier, and rough location — maybe from a previous data leak — calls your carrier’s support line and uses the newly collected KYC data to impersonate you convincingly. Carriers are already a weak link in this chain. Richer databases make impersonation easier, not harder.

The proposal leaves that risk basically unaddressed. There’s no mention of mandatory multi-factor verification before account changes, no minimum security standard for how carriers store or transmit the collected data, no liability framework beyond the $2,500 per-call penalty tied to robocall violations.

Read also: Webull Canada Crypto Lands CIRO Dealer Membership With Rare Insurance Carve-Outs

For crypto holders specifically, the outcome here probably forces a security rethink regardless of which way the FCC goes. If stringent KYC lands across all account types, phone-based two-factor authentication becomes a weaker link than it already is. Moving toward authenticator apps, hardware keys, or other non-phone-dependent security methods starts looking less optional and more necessary.

The FCC hasn’t set a final vote date. Public comments close June 25, and the rule could go through multiple revision rounds before anything is finalized. Unclear how long that takes. But the direction of travel — more data, longer retention, broader collection — seems set regardless of the scope decision.

The $68 million in SIM-swap losses recorded in 2021 happened before any of this expanded data collection was in place.