Telecommunications Carriers’ Use of Customer 3060-0715 Proprietary Network Information and October 2024
Other Customer Information
SUPPORTING STATEMENT
This revised information collection is being submitted to obtain approval from the Office of Management and Budget (OMB) for new or revised information collection requirements that result in part from actions taken in two recent Federal Communications Commission (Commission or FCC) orders, as explained below. The revised information collection also adopts certain modifications to existing requirements to more accurately reflect current associated burdens, and removes certain requirements that the Commission has determined are not information collections subject to the Paperwork Reduction Act.
A. Justification:
1. Circumstances that make the collection necessary. This information collection implements the statutory obligations of section 222 of the Communications Act of 1934, as amended (the Act). Section 222 provides: “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunications carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C. § 222(a).
By definition, Customer Propriety Network Information (CPNI) means:
“(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and
(B) information contained in the bills relating to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.” 47 U.S.C. § 222(h)(1).
By definition, Subscriber List Information means any information:
“(A) identifying the listed names of subscribers of a carrier and such subscribers’ telephone numbers, addresses, or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications, and
(B) that the carrier or an affiliate has published, caused to be published, or accepted for publication in any directory format.” 47 U.S.C. § 222(h)(3).1
The new requirements for which the Commission is seeking approval in this collection (3060-0715), which are identified and discussed below where applicable, arise out of actions taken in Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Report and Order, FCC 23-95 (2023), summarized at 88 FR 85794 (Dec. 8, 2023) (SIM Swap and Port-Out Fraud Order) and Data Breach Reporting Requirements, WC Docket No. 22-21, Report and Order, FCC 23-111 (2023), summarized at 89 FR 9968 (Feb. 12, 2024) (Data Breach Reporting Requirements Order).2
SIM Swap and Port-Out Fraud Order. On November 16, 2023, the FCC released the SIM Swap and Port-Out Fraud Order, which adds new information collection requirements in paragraphs (o) through (r) 3 of this supporting statement. The SIM Swap and Port-Out Fraud Order adopted a baseline framework to combat SIM swap fraud by amending section 64.2010 of the CPNI rules to add paragraph (h) on Subscriber Identity Module (SIM) changes. A SIM swap involves the fraudulent transfer (or “swap”) of an account from a device associated with one SIM to a device associated with a different SIM, allowing a bad actor to control the victim’s mobile account and access the victim’s CPNI. The new rules establish a uniform framework that gives wireless providers4 flexibility to implement customer authentication and security methods to address SIM swap fraud. See SIM Swap and Port-Out Fraud Order. Wireless providers are required to comply with the new or modified rules except where the Safe Connections Act requires alternate procedures to be used, as discussed below. The SIM Swap and Port-Out Fraud Order modifies the existing CPNI collection requirements to require wireless providers to: (1) immediately notify customers of any requests for a SIM change associated with the customer’s account before the SIM change is completed; (2) provide customers with advance notice of any account protection measures offered; (3) clearly disclose a clear process for customers to report SIM fraud, and promptly provide customers with documentation of fraud involving their accounts; and (4) track and maintain for three years a record of SIM change requests and authentication measures used.
Data Breach Reporting Requirements Order. On December 21, 2023, the Commission released the Data Breach Reporting Requirements Order, which modifies information collection requirements in paragraphs (s) and (t) of this supporting statement. In addition to changes to the scope of customer data and reportable breaches covered by the Commission’s rules, the Data Breach Report and Order modifies the Commission’s data breach notification rules to require covered service providers to electronically notify the FCC of a reportable data breach through a link to a central reporting facility, contemporaneously with the existing obligation to notify the United States Secret Service Bureau (Secret Service) and the Federal Bureau of Investigation (FBI), and adopts equivalent requirements for telecommunications relay services (TRS) providers. Covered service providers include providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and TRS. All covered providers are required to maintain a record, electronically or in some other manner, of any breaches discovered, and notifications made. Covered providers are also required to submit, via the central reporting facility, an annual reporting of certain small breaches. See Data Breach Reporting Requirements Order.
Current 5 Information Collection Requirements which have already received OMB approval:
CPNI Information Collection Requirements
(a) Customer Approval (47 USC § 222(c)(1)): If carriers or providers of interconnected VoIP service choose to use CPNI to market service offerings outside the customer’s existing service, they must obtain customer approval. Carriers and providers of interconnected VoIP service are permitted to obtain such approval through written, oral, or electronic means. Carriers and providers of interconnected VoIP service are permitted to use advanced technologies of their networks, including 800 numbers, 888 numbers, and e-mail, to obtain customer approval, in addition to using various types of written approval, such as billing inserts. All carriers and providers of interconnected VoIP service are permitted to use CPNI to engage in win back marketing campaigns to target valued former customers that have switched to other carriers.
47 CFR § 64.2005 permits the use of CPNI for fraud prevention programs. Where carriers or providers of interconnected VoIP service are required to obtain customer approval, they may still do so through written, oral, or electronic means. See 47 CFR §§ 64.2003(k), 64.2005, and 64.2007, and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
(b) Customer Approval Documentation and Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must implement a system by which the status of a customer’s CPNI approval can be clearly established prior to the use of CPNI. By way of example:
carriers or providers of interconnected VoIP service that do not presently keep computerized records need not implement an electronic method of verifying approval status;
carriers or providers of interconnected VoIP service that already have computerized records could implement flags or adopt procedures whereby they access a separate database to verify approval status; or
carriers or providers of interconnected VoIP service could develop a combination of computerized and non-computerized systems as they see fit.
Telecommunications carriers and providers of interconnected VoIP service must train their personnel as to when they are and are not authorized to use CPNI, and carriers and providers of interconnected VoIP service must have an express disciplinary process in place.
Carriers and providers of interconnected VoIP service must maintain records of approval – whether written, oral, or electronic – for a period of at least one year, and be capable of producing them if the sufficiency of a customer's approval is challenged. See 47 CFR §§ 64.2003(k), 64.2007(e) and 64.2009, and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
(c) Notification of CPNI Rights: All telecommunications carriers and providers of interconnected VoIP service that choose to solicit customer approval must provide their customers a one-time notification of their CPNI rights prior to any such solicitation. Carriers and providers of interconnected VoIP service are required to give customers explicit notice of their CPNI rights prior to any solicitation for approval. A carrier or a provider of interconnected VoIP service is permitted to provide either written or oral notification. Such notification may take the form of a bill insert, an individual letter or an oral presentation that advises the customer of his/her right to restrict carrier access to CPNI.
At a minimum, customer notification, whether oral or written, must provide sufficient information to enable the customer to make an informed decision as to whether to permit a carrier or provider of interconnected VoIP service to use, disclose, or permit access to CPNI. The notice must:
specify the types of information that constitute CPNI,
specify the specific entities that will receive the CPNI,
describe the purpose for which the CPNI will be used, and
inform the customer of his or her right to disapprove those uses, and to deny or withdraw access to CPNI at any time.
The notification also must:
advise customers of the precise steps they must take in order to grant or deny access to CPNI,
clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes, and
be reasonably comprehensible and non-misleading.
If any portion of a notification is translated into another language, then all portions of the notification must be translated into the language. See 47 CFR §§ 64.2003(k) and 64.2007(f), and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
(d) CPNI Rights Notification Recordkeeping: Pursuant to this one-time notification requirement, these carriers and providers of interconnected VoIP service must maintain a record of such notifications. Carriers and providers of interconnected VoIP service must maintain such records for a period of at least one year. See 47 CFR §§ 64.2003(k) and 64.2007(e), and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
(e) Event Histories Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must establish a supervisory review process regarding carrier or provider compliance with the rules in Part 64 for outbound marketing situations. To assure compliance with CPNI protections, sales personnel must obtain supervisory review of any proposed request to use CPNI for outbound marketing purposes. Carriers or providers of interconnected VoIP service are required to maintain a record of these event histories for at least one year from the date of the marketing campaign. See 47 CFR § 64.2009(d).
Carriers or providers of interconnected VoIP service using CPNI for sales and marketing campaigns must record the date and purpose of the campaign, and what products and services were offered to customers. Carriers and providers of interconnected VoIP service are required to maintain these records for a period of at least one year. See 47 CFR §§ 64.2003(k), and 64.2009(c) and (d), and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
(f) Compliance Certification: All telecommunications carriers and providers of interconnected VoIP service must file on an annual basis a certification signed by a current corporate officer attesting that he or she has personal knowledge that the carrier/provider is in compliance with the Commission’s Part 64 rules, and create an accompanying statement explaining how the carrier/provider is implementing our rules and safeguards. In addition, the carrier/provider must include an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year. See 47 CFR § 64.2009(e) and paragraphs 51-53 of the 2007 CPNI Order (FCC 07-22).
(g) Aggregate Customer Information Disclosure Requirements (47 USC § 222(c)(3)): Local exchange carriers (LECs) and providers of interconnected VoIP service must disclose aggregate customer information to others upon request, when they use or disclose the aggregate customer information for the purposes of marketing service to which the customer does not subscribe. See 47 CFR § 64.2003(k) and paragraphs 54-59 of the Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22).
(h) CPNI Disclosure to Third Parties: Section 222(c)(2) requires carriers, when presented with a customer’s affirmative written request, to provide that customer's CPNI to any person designated in the written authorization. Section 222(c)(2) also imposes a disclosure requirement on carriers to ensure that any party with customer authorization, including unaffiliated third-party competitors, can obtain access to individually identifiable CPNI. As such, carriers and providers of interconnected VoIP service must provide a customer's CPNI to any party that has obtained an affirmative written authorization from the customer. See 47 CFR § 64.2003(k) and paragraphs 54-59 of the Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22).
(i) Safeguards Required for Use of CPNI: In instances where carriers or providers of interconnected VoIP service use the carrier’s opt-out mechanism, they must provide written notice within five business days to the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers’ inability to opt-out is more than an anomaly.
The notice shall be in the form of a letter, and include the following:
carrier’s or provider’s name,
a description of the opt-out mechanism(s) used,
the problem(s) experienced,
the remedy proposed and when it will be/was implemented,
whether the relevant state commission(s) has been notified, and whether it has taken any action,
a copy of the notice provided to customers, and
contact information.
Such notice must be submitted even if the carrier or provider offers other methods by which consumers may opt-out. See 47 CFR Sections 64.2003(k) and 64.2009(f), paragraphs 114-117 in the Third Report and Order and Third Further Notice of Proposed Rulemaking (FCC 02-214),6 and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).
Subscriber List Information Collection Requirements
(j) Provision of Subscriber List Information: A telecommunications carrier that provides telephone exchange service must provide subscriber list information gathered in its capacity as a provider of such service on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of publishing directories in any format. See 47 CFR § 64.2309. Carriers are obligated to provide updated subscriber list information to requesting directory publishers.
For subscribers that have multiple telephone numbers, a carrier must provide requesting directory publishers with each telephone number that it has published, caused to be published, or accepted for publication in a directory. See Third R&O (FCC 99-227), paragraph 49.7 Upon request, a carrier that has received at least thirty days advance notice also must provide subscriber list information on any periodic basis that the carrier’s internal systems can accommodate.
(k) Notifications: A carrier must provide subscriber list information at the time requested by the directory publisher, provided that the directory publisher has given at least thirty days advance notice and the carrier's internal systems permit the request to be filled within that timeframe. If a carrier's internal systems do not permit the carrier to provide subscriber list information within the requested timeframe, the carrier must inform the directory publisher that the requested schedule cannot be accommodated and tell the directory publisher which schedules can be accommodated. See 47 CFR § 64.2313.
A directory publisher may request that a carrier unbundle subscriber list information on any basis for the purpose of publishing one or more directories. If the carrier's internal systems do not permit it to unbundle subscriber list information on the basis a directory publisher requests, the carrier must inform the directory publisher that it cannot unbundle subscriber list information on the requested basis and tell the directory publisher the basis on which the carrier can unbundle subscriber list information; and provide subscriber list information to the directory publisher on the basis the directory publisher chooses from among the available bases. See 47 CFR § 64.2317.
A carrier shall provide subscriber list information obtained in its capacity as a provider of telephone exchange service to a requesting directory publisher in the format the publisher specifies, if the carrier's internal systems can accommodate that format. If a carrier’s internal systems do not permit the carrier to provide subscriber list information in the format the directory publisher specifies, the carrier shall within thirty days of receiving the publisher’s request:
inform the directory publisher that the requested format cannot be accommodated,
tell the directory publisher which formats can be accommodated, and
provide the requested subscriber list information in the format the directory publisher chooses from among the available formats. See 47 CFR § 64.2329.
If a carrier finds that it cannot accommodate all of a group of multiple or conflicting requests for subscriber list information within the specified timeframes, the carrier shall respond to those requests on a nondiscriminatory basis. The carrier shall inform each affected directory publisher of such requests within thirty days of when it receives the publisher’s request. See Third R&O (FCC 99-227), paragraph 68.
(l) Disclosure of Contracts, Rates, Terms and Conditions and Recordkeeping:8 A telecommunications carrier must retain, for at least one year after its expiration, each written contract that it has executed for the provision of subscriber list information for directory publishing purposes to itself, an affiliate, or an entity that publishes directories on the carrier's behalf.
A telecommunications carrier must maintain, for at least one year after the carrier provides subscriber list information for directory publishing purposes to itself, an affiliate, or an entity that publishes directories on the carrier’s behalf, records of any of its rates, terms, and conditions for providing that subscriber list information which are not set forth in a written contract.
These records and contracts shall be made available to the Commission and to any directory publisher upon request. Carriers, however, may withhold from disclosure those portions of their subscriber list contracts that are wholly unrelated to the provision of subscriber list information. Carriers may also require that any disclosure of subscriber list information contracts or records be subject to a confidentiality agreement that limits access to and use of the information to the purpose of determining the rates, terms, and conditions under which the carrier provides subscriber list information to itself, an affiliate, or an entity that publishes directories on the carrier's behalf. See 47 CFR § 64.2341.
Safeguards on the Disclosure of CPNI Information Collection Requirements
(m) Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access: If a telecommunications carrier or provider of interconnected VoIP service decides to provide call detail CPNI to the customer over the telephone during a customer-initiated telephone call, then it would be required to collect and maintain a database of any customer chosen passwords or response(s) to back-up authentication methods. See 47 CFR Section 64.2010(a) – (e) and paragraphs 13-22 in the 2007 CPNI Order (FCC 07-22).
(n) Notification of Account Changes: A telecommunications carrier or provider of interconnected VoIP service must notify its customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information. See 47 CFR § 64.2010(f) and paragraph 24 in the 2007 CPNI Order (FCC 07-22). The Safe Connections Order9 clarified that the rule requiring telecommunications carriers to notify customers “immediately” whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed does not apply when such changes are made in connection with a line separation request made pursuant to the Safe Connections Act. See 64.2010(f) and paragraph 100 of Safe Connections Order. The rules implementing the Safe Connections Act were approved by OMB on May 3, 2024 as part of collection 3060-1325.
New or Revised Information Collection Requirements which require OMB Approval resulting from the SIM Swap and Port-Out Fraud Order
(o) Customer notification of SIM change requests. To provide customers with an early warning that their account may be subject to fraudulent activity, CMRS providers must provide immediate notification to customers of any requests for a SIM change associated with the customer’s account. While the Commission declines to prescribe particular content or wording of SIM change notifications, the notifications must use clear and concise language with sufficient information to effectively inform a customer that a SIM change request involving the customer’s SIM was made. See 47 CFR § 64.2010(h)(3) and paragraphs 35-40 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
(p) Notice of account protection measures. CMRS providers must provide customers with notice of any account protection measures offered, including those to prevent SIM swap fraud, and to make this notice easily accessible via provider websites and applications. See 47 CFR § 64.2010(h)(5) and paragraph 67 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
(q) Procedures to resolve fraudulent SIM changes. CMRS providers must maintain a clearly disclosed, transparent, and easy-to-use process, at no cost, for customers to report SIM swap and port-out fraud, and upon request, promptly provide customers with documentation of the fraud involving their accounts. See 47 CFR § 64.2010(h)(6) and paragraphs 46-49 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
(r) SIM change recordkeeping. CMRS providers must track and maintain information regarding SIM change requests and their authentication measures, and retain that information for three years. See 47 CFR § 64.2010(h)(8) and paragraph 46 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
New or Revised Information Collection Requirements which requirement OMB approval resulting from the Data Breach Reporting Requirements Order.
(s) Notification of Security Breaches: Telecommunications carriers and providers of interconnected VoIP service shall notify law enforcement of a breach of their customers’ CPNI through a central reporting facility accessible via a link at http://www.fcc.gov/eb/cpni within seven business days after a reasonable determination of a breach. The carrier or provider shall notify its customers of the security breach after it has completed the process of notifying law enforcement. See 47 CFR § 64.2011 and paragraphs 26-32 in the 2007 CPNI Order (FCC 07-22).
The Data Breach Reporting Requirements Order revises breach notification obligations by: (1) expanding the obligations to cover breaches of personally identifiable information (PII) in addition to CPNI (collectively “covered data”); (2) expanding the definition of “breach” to include inadvertent access, use, or disclosure of covered data; (3) adopting an exception from the breach notification obligations for a good-faith acquisition of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed; (4) requiring telecommunications carriers and providers of interconnected VoIP service to electronically notify the Commission (in addition to the existing notifications to the Secret Service and the FBI) through a link to a central reporting facility of a reportable data breach; and (5) eliminating the requirement to notify customers of a breach in instances where the carrier or interconnected VoIP service provider has reasonably determined that no harm is likely to occur, or where a breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed. Equivalent notification requirements are adopted for TRS providers. All covered providers are required to maintain a record, electronically or in some other manner, of any breaches discovered and notifications made. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni or a successor URL designated by the Wireline Competition Bureau. See 47 CFR §§ 64.2011(a), (b), (d), and (e) and 64.5111(a), (b), (d), and (e) and paragraphs 15-19, 21, 26, 28-31, 52-58, 66-68, and 80 of the Data Breach Reporting Requirements Order (FCC 23-111).
(t) Breach Notification Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must maintain for a minimum two-year period a record, electronically or in some other manner, of any breaches discovered, notifications made to the United States Secret Service and the FBI, and notifications made to customers. This record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was subject of the breach, and the circumstances of the breach. See 47 CFR § 64.2011(c) and paragraph 29 in the 2007 CPNI Order (FCC 07-22).
The Data Breach Reporting Requirements Order revises breach recordkeeping obligations by requiring telecommunications carriers, providers of interconnected VoIP service, and TRS providers to maintain a record, electronically or in some other manner, of any breaches discovered and notifications made. The record shall include, if available, dates of discovery and notification, a detailed description of the covered data that was the subject of the breach, the circumstances of the breach, and the bases of any determinations regarding the number of affected customers or likelihood of harm as a result of the breach. All covered providers are also required to submit via the central reporting facility an annual reporting of certain small breaches. See 47 CFR §§ 64.2011(c) and 64.5111(c) and paragraphs 31-32, 39 and 85 of the Data Breach Reporting Requirements Order (FCC 23-111).
Information Collection Requirements Being Removed from this Information Collection
The following requirements are removed from this information collection because they are not “information collection” requirements within the meaning of the Paperwork Reduction Act.
Cost Study (formerly section (l)): In the event a directory publisher files a complaint regarding a carrier’s subscriber list information rates, the carrier must present a cost study providing credible and verifiable cost data to justify each challenged rate. This cost study must clearly and specifically identify and justify: incremental costs, common costs, overheads, and other information. The carrier should provide this information separately for both base file and updated subscriber list information if the complainant challenges both types of rates. See Third R&O (FCC 99-227), paragraph 106. This requirement is deleted because it is not an “information collection” but rather a procedure to help ensure rates for subscriber list information are reasonable. The procedure is not specified in the rules and is not triggered unless and until a directory publisher files a Section 208 complaint at the Commission, and the Commission has not received such a complaint in at least 10 years.
Certification (formerly section (m)): A telecommunications carrier may require persons requesting subscriber list information pursuant to section 222(e) of the Act or section 64.2309 to certify that the publisher will use the information only for purposes of publishing a directory. The certification may be either oral or written, at the carrier’s option. See 47 CFR § 64.2337. This requirement is deleted because the certification entails no burden other than that necessary to identify the respondent, the date, the respondent’s address, and the nature of the instrument and therefore the certification is not “information” within the meaning of the Paperwork Reduction Act. 5 CFR § 1320.3(h)(1).
Statutory authority for this collection of information is contained in sections 1, 2, 4(i), 4(j), 201-205, 208, 222, 225, 251, 303, 332, 345, and 403 of the Act, 47 U.S.C. §§ 151, 154(i), 154(j), 201-205, 208, 222, 225, 303, 332, 345, and 403.
This information collection does affect individuals or households; thus, there are impacts under the Privacy Act. However, the information that is related to individuals or households is collected by third parties; and as a consequence, the Commission is not required to complete a privacy impact assessment.10
2. Use of information. All of the information collection requirements are used to ensure that providers of telecommunications, interconnected VoIP, and telecommunications relay service (TRS) comply with the requirements the Commission promulgates in its orders and to implement sections 222 and 345 of the Act, which obligate telecommunications carriers to protect the privacy and security of information about their customers to which they have access as a result of their unique position as network operators, among other things..
3. Technological collection techniques. While the Commission anticipates that covered providers may choose to record CPNI using electronic or other technological collection techniques, the means of compliance is at the discretion of the provider. The Commission assumes that information technology, including the use of voice menu systems and automated response recognition systems, will be used by covered providers to comply with the requirements.
4. Efforts to identify duplication. For each of these requirements, the information to be collected is unique to each provider, and there are no similar collection requirements.
5. Impact on small entities. The collection of information will affect all providers of telecommunications, interconnected VoIP, and TRS, some of which may be “small entities” within the meaning of the Small Business Act, 5 U.S.C. § 601(6). Because small entities may need additional time to implement the online carrier authentication requirements of the 2007 CPNI Order (FCC 07-22), the Commission provided an additional six-month implementation period for these entities. The SIM Swap and Port-Out Fraud Order (FCC 23-95) requires CMRS providers to comply with the requirements six months after the Order’s effective date, or upon completion of OMB review, whichever is later. Providing such time to achieve compliance accounts for the urgency of safeguarding customers from the fraudulent schemes and will allow wireless providers to coordinate any updates needed to their systems and processes to comply with the Safe Connections Act and rules adopted to implement the statute.
6. Consequences if the information is not collected. Failing to collect the information, or collecting it less frequently, would violate the language and/or intent of the Act.
7. Special circumstances. The only special circumstance that would require a provider to report information more than quarterly is the requirement that providers notify law enforcement and customers in the event of a breach of customer information.
8. Federal Register notice. A 60-day notice was published in the Federal Register on June 25, 2024 (89 FR 53079. Three comments were received in response to the 60-day notice, from Competitive Carriers Association (CCA), NCTA – The Internet & Television Association (NCTA), and CTIA. Generally, CCA asserts that the FCC “severely underestimates the burden and time required to come in to compliance,” and urges the FCC to revise its cost and burden estimates.11 Similarly, NCTA requests that the Commission reassess the burdens of compliance with the new rules, and urges the Commission to reissue the PRA notice with more detailed burden and cost analysis.12 NCTA asserts that the initial 60-day notice did not provide sufficiently detailed burden estimates for each of the requirements.13 NCTA further asserts that providers anticipate that the cost of implementing the rules subject to the PRA “will be between $500,000 and $1 million.”14 Likewise, CTIA raises concerns that the FCC has “underestimated the burdens and costs of the new information collections and urges” the FCC to reissue its PRA Notice with an updated analysis for its burden and cost estimates, which should “either increase the Commission’s estimate, consistent with the record, or explain its rational for the current estimates in the PRA Notice.”15 CTIA raises concerns that the PRA Notice provides aggregate estimates, but does not explain how those totals should be divided among the various information collections under the Order.16 CTIA also asserts that the burdens are too low, and the notice “appears to ignore the burden of initial implementation of the new information collection requirements.”17
As an initial matter, the 60-day and 30-day PRA notices published by the Commission comply with the PRA and OMB regulations. Additionally, this supporting statement provides significant detail broken down by requirement, as CTIA and NCTA request.18 Further, as explained below in paragraph 12, the burden estimates include front-end time necessary for providers to design, develop, test, and implement procedures to address the new requirements subject to the PRA. However, to address commenter concerns, we upwardly adjust the burden estimate to account for additional time necessary for these activities, which are specifically associated with initial implementation.
Commenters also raise concerns about the burdens associated with specific new requirements. With respect to account locking, CCA asserts that some members’ vendors do not have readily accessible solutions and that “expensive unanticipated, and time-intensive software upgrades or customer solutions have been required.”19 With regard to customer notifications, CCA asserts that implementing the various customer notification requirements will take upwards of 700-800 hours of work at a cost of at least $70,000-$80,000 for vendor services and carrier resources required for implementation.20 CCA further estimates that achieving compliance with new requirements for account protection measures and procedures to resolve fraudulent SIM swaps or ports will take no less than 3,000-4,000 hours at a cost of between $300,000-$400,000 for vendor services and carrier resources required for implementation.21 CCA also estimates that compliance with SIM swap recordkeeping requirements will take upwards of 400-650 hours at a cost of between $40,000-$75,000 for vendor services and carrier resources required for implementation.22 CTIA, too, raises concerns regarding the ongoing burdens associated with the new requirements for customer notifications, customer account locks, procedures to resolve fraudulent SIM changes, and SIM change recordkeeping.23
The commenters do not, however, fully distinguish between the burden associated with the information collection elements of the new rules and full compliance with the new rules generally. For example, the SIM Swap and Port-Out Fraud Order requires providers to provide notice of any account protection measures the provider offers. The rules also require providers to maintain “a clearly disclosed, transparent, and easy-to-use process for customers to report SIM swap and port-out fraud, promptly investigate and take reasonable steps within their control to remediate such fraud, and upon request, promptly provide customers with documentation of SIM swap and port-out fraud involving their accounts.”24 CCA estimates 3,000-4,000 hours to comply with these rules alone. However, CCA does not distinguish between the burden of providing notice of account protection measures and costs associated with implementing account protection measures themselves (which are not collections of information subject to the PRA),25 nor do commenters distinguish between the burden of developing and providing notice of a fraud reporting mechanism, and investigating and remediating fraud (which are also not subject to the PRA).26 We nonetheless upwardly adjust the burden estimates associated with the notice and disclosure aspects of the new rules to account for commenter concerns.
Further, we do not believe that CCA’s burden estimates for complying with the new account locking requirements are relevant to PRA calculations because such requirements and the costs of implementing “account locking solutions” do not implicate the PRA.27 And, with respect to customer notifications, we explain further below that the primary burden associated with notifications to customers is in developing the initial system to automate such notices, which we have accounted for in our burden estimate. Nonetheless, we upwardly adjust this estimate based on commenter concerns, as we have done for the SIM change recordkeeping burden estimate as well.
The record in the SIM Swap and Port-Out Fraud Order indicated that a number of wireless providers already rely, at least partly, on some of the policies and procedures adopted in that Order and that are the subject of this collection.28 But neither CCA, CTIA, nor NCTA quantify how many providers already have processes in place to comply with the newly-adopted requirements, or how many would require more significant time to come into compliance, and how those numbers would affect the burden estimates they cite. Based on the record in the SIM Swap and Port-Out Fraud proceeding and the comments received in response to the 60-day PRA notice, we believe it is reasonable to assume that some providers would incur less burden, and others a greater burden, in implementing the requirements subject to the PRA, and thus use a burden hour estimate in between such ranges. Further, none of the commenters distinguished between the burdens associated with complying with the new rules for SIM changes, covered by this collection, and for port-out fraud, covered in collection 3060-0742. Nonetheless, to address commenter concerns, we upwardly adjust the burden estimates overall pertaining to the new requirements from the SIM Swap and Port-Out Fraud Order subject to the PRA in both this collection and collection 3060-0742, but split the burden for developing systems between the two collections, on the assumption that there will be substantial overlap between the two.
CCA also asserts that the Commission’s estimate regarding the notice requirements adopted in the SIM Swap and Port-Out Fraud Order does not account for the going forward increases in customer representative time and other employee time due to the new procedures and processes. We do not believe that such costs are implicated by the PRA with respect to the notice requirements adopted. Nonetheless, we upwardly adjust the burden estimates pertaining to the development of automated systems to implement the notice requirements in response to commenter concerns.
Commenters also raise three comments about timing. NCTA asserts that the 60-day PRA notice fails to meet the requirement that the information collection “reduces to the extent practicable and appropriate the burden,” because the Commission has “disregarded” providers’ requests for additional time.29 And CCA contends that that the FCC “provided no indication” of the timing of the Public Notice announcing the compliance date or how long after the Public Notice enforcement might begin.30 The Commission did not, however, disregard requests for additional time. On July 5, 2024, the Wireline Competition Bureau (Bureau) adopted an Order finding that good cause exists to waive compliance with the rules adopted in the SIM Swap and Port-Out Fraud Order that are not subject to OMB review until the effective date of the rules that are subject to OMB approval, which effectively results in a single synchronized timeframe: compliance with the rules in their entirety, including those not subject to the PRA, will not be required until after OMB completes review of the information collection requirements associated with the Order, and the Commission publishes a notice in the Federal Register announcing the compliance date.31 As for the timing of the Public Notice announcing a compliance date, to provide additional clarity to providers, the Commission commits to ensuring that compliance with the new rules will not be required for at least 30 days after the publication in the Federal Register of notice that OMB has completed its review.
Finally, CTIA raises concerns regarding the “No Cost Burden” estimates for the information collections. CTIA asserts that “providers report that the costs of contracting vendors and other third-party resources to assist in implementing the systems to fulfill the Order’s information collection requirements could range from tens of thousands of dollars for regional providers, to millions of dollars for nationwide wireless providers.”32 With respect to CTIA’s concerns raised about the “no cost burden” estimates for the information collections, consistent with OMB’s instructions, the Commission’s estimate of “Total Annual Cost” includes capital, start-up, operation, and maintenance costs, and excludes hourly labor costs, which are estimated separately. Thus $0 “Total Annual Cost” does not mean that the Commission does not expect that providers will have no costs to implement the collection. Provider costs are simply captured elsewhere in the information collection. Further, while CTIA and CCA assert that complying with the new rules will require engagement with outside vendors, contractors, and equipment manufacturers,33 we make clear that the Commission did not suggest that providers would incur no costs in responding to the collection. Further, neither CTIA nor CCA provided estimates for: (a) how many providers would rely on outside expert consultants, (b) how much consultant time would be incurred by providers, (c) what type of consultants would be used (e.g., NTCA did not specify whether “outside expert consultants” would be attorneys, engineers, or web administrators, etc.), or (d) the costs of obtaining outside expert consultants (e.g., hourly rates). We do not estimate that any costs associated with obtaining necessary outside consultants would be substantially different from the estimates of in-house costs.
9. Payments or gifts to respondents. The Commission does not anticipate providing any payment or gift to respondents.
Assurances of confidentiality. The Commission is not requesting that respondents submit confidential information. Any respondent who submits information to the Commission, which the respondent believes is confidential, may request confidential treatment of such information under section 0.459 of the Commission’s rules. See 47 CFR § 0.459.
11. Questions of a sensitive nature. There are no questions of a sensitive nature with respect to the information collected.
12. Estimates of the hour burden of the collection to respondents. The following represents the Commission’s estimate of the annual hour burden of the collections of information. The Commission makes several assumptions:
The number of covered provider respondents is 2,935.34 The number of CMRS respondents is 600 (60 facilities-based35 + 540 MVNOs,36 both of which together are considered to be CMRS provider respondents in this Supporting Statement).
The Commission believes that respondents have adopted information technology, office automation techniques, and standardized business practices and routines to increase efficiency in most areas of their businesses’ functions, including collection and protection of CPNI, and that the respondents will adopt and use similar information technology, office automation techniques, and standardized business practices and routines to reduce the hourly burden requirements, “in house” costs, and annual costs that are required to collect the information.
The Commission believes that most of these respondents will use their “in house” staff to comply with these requirements, since, as noted above, we believe that technology allows them to adjust their business and office practices and functions to meet these requirements with only minimal changes, i.e., IT software has evolved to provide businesses with functional flexibility and adaptability.
Numbers shown below have been rounded to the nearest whole number, as applicable.
Information Collection Requirements:
(a) Customer approval:
(1) Number of Respondents: 2,935.
Under the CPNI rules, all covered providers must file from January 1 to March 1 their annual reports certifying compliance with the Commission’s rules protecting CPNI.37 For our estimate, we base the number of respondents on the total number of annual CPNI reports filed from January 1, 2024 to March 1, 2024 (for calendar year 2023). An additional 2% were added to capture the number of filers that may not have met the March 1, 2024 deadline.
FCC Web-Based Electronic Filers =1,735. For the 2023 reporting period, there were 1,735 compliance certifications filed on the FCC web portal from January 1, 2024 to March 1, 2024.
ECFS Filings =1,142. For the 2023 reporting period, there were 1,142 certifications filed via ECFS from January 1, 2024 to March 1, 2024.
Additional Filers =58. While we are unsure on the exact number of filers that do not comply with the annual filings, we added an additional 2% to capture the number of filers that may not have met the March 1 deadline.
FCC Web-Based Filers (1,735) + ECFS Filings (1,142) = 2,877 total
2% of 2,877 = 58
Total respondents: 1,735+ 1,142 + 58 =2,935.
(2) Frequency of Response: On occasion reporting requirement.
(3) Total Number of Responses Annually: 147 (reporting requirement)
The rules requiring providers to seek customer approval to use CPNI to market service offerings outside the customer’s existing service have been in place since 2007. We believe that only new entrants to the market will need to create the customer notification. We estimate approximately 5% of the 2,935 respondents are new entrants (2,935 x 5% = 147).
147 respondents x 1 response/notification designed and sent to customers = 147 responses
(4) Total Annual Hour Burden: 1,764 hours (1,470 + 294)
The Commission believes that most respondents use a digital internal system to solicit their customers for permission to use CPNI to market service offerings outside a customer’s existing service relationship. Therefore, the burden to new entrants of complying with the notification requirement includes the design of a digital platform that the respondent can use to automatically solicit permission from its customers, as well as the design of the notification itself. The design of both of these is an annual burden to new entrants only, as providers who entered the market in the past are believed to have both components already developed.
The Commission estimates that the respondents will require approximately ten hours to design a digital platform that solicits each of their customers for their permission to use CPNI to market service offerings outside of their existing service relationship.
147 respondents x 10 hours/digital platform design = 1,470 hours for digital platform
The Commission estimates that the respondents will require approximately two hours to design the notification, giving the respondents permission from their customers to use CPNI to market service offerings outside a customer’s existing service relationship.
147 respondents x 2 hours/notification design = 294 hours for notification
Once the customer grants the respondent permission to use his/her CPNI to market services outside the existing service relationship, the respondent does not have to seek approval again for the purpose for which it informed the customer. However, if the respondent uses the opt-out approval mechanism, it must send a notice of customers’ rights to each customer biennially. Provided that the respondent uses the aforementioned digital platform to engage with its customers on CPNI matters, a digital notification can be set to automatically be sent every two years. As such, the Commission estimates the burden from biennially notifying customers to be zero.
(5) Total “In House” Costs: $131,879
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee,38 plus 30% overhead, to design the digital CPNI solicitation platform. The rules have been in place since 2007, and we believe that only new entrants to the market will need to create the notification. Having previously explained that we estimate 147 new entrants, this gives a burden of:
147 respondents x 10 hours/digital platform design x $53.87/hour = $79,189
We assume that respondents will use personnel comparable in pay to a GS-14/Step 5 ($75.70/hour) Federal employee, plus 30% overhead, to design the customer approval solicitation device. Again, the rules have been in place since 2007, and we believe that only new entrants to the market will need to create the notification.
147 respondents x 2 hours/notification x $75.70/hour = $22,256
$79,189 + $22,256 = $101,445
30% overhead = $ 30,434
(b) Customer Approval Documentation and Recordkeeping.
(1) Number of Respondents: 2,935
(2) Frequency of Response: Recordkeeping requirement
(3) Total Number of Responses Annually: 147 responses (recordkeeping)
2,935 respondents x 1 recordkeeping requirement/annum = 2,935 responses
(4) Total Annual Hourly Burden: 294 hours
As in (a) Customer Approval, the Commission believes that most respondents use a digital internal system to document and record their customers’ CPNI approval status. Furthermore, the Commission believes that it is reasonable to assume that the digital system developed in (a) to solicit CPNI approval from customers is also the digital system that documents and records customer CPNI approval status.
The burden for documenting and recording CPNI approval status, therefore, should be limited to new entrants, and should only consider the burden of adding an additional feature – documentation and recordkeeping of CPNI status – to the digital system developed by new entrants in (a).
Having already developed the digital solicitation system described in (a), the Commission estimates that new entrants will require an additional two hours to add the necessary documentation and recordkeeping features required by (b) to the digital system.
147 respondents x 2 hours/recordkeeping for customer’s CPNI status = 294 hours
(5) Total “In House” Cost: $20,589
The Commission assumes that the respondents use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% for overhead, to comply with the recordkeeping requirement:
147 respondents x 2 hours/recordkeeping for CPNI status x $53.87/hour = $15,838
30% overhead $4,751
Total: $20,589
(c) Notification of CPNI Rights Requirement.
(1) Number of Respondents: 2,935
(2) Frequency of Response: One-time notification reporting requirement. The timing of this notification is at the discretion of the carrier or provider.
(3) Total Number of Responses Annually: 2,935 responses (reporting requirement)
2,935 respondents x 1 response/notification design and sent to customers = 2,935 responses
(4) Total Annual Hourly Burden: 0 hours
The Commission believes a respondent will provide customers with their CPNI Rights at the same time at which the respondent solicits their CPNI approval. As such, any burden from Notification of CPNI Rights is subsumed within the automated system and notification devised in part (a) Customer Approval. This results in this subsection, Notification of CPNI Rights, having an annual hourly burden of zero.
(5) Total “In House” Costs: $0
With no hourly burden, the Commission does not anticipate any “In House” Costs.
(d) Notification Recordkeeping.
(1) Number of Respondents: 2,935
(2) Frequency of Response: Recordkeeping requirement
(3) Total Number of Responses Annually: 2,935 responses (recordkeeping requirement)
2,935 respondents x 1 recordkeeping requirement = 2,935 recordkeeping requirements
(4) Total Annual Hourly Burden: 0 hours
The Commission believes it is reasonable to assume that a respondent will keep records of its notifications to customers of their CPNI rights using the same internal digital system that the respondent uses to record customers’ CPNI approval. The burden to respondents of modifying their internal digital systems to keep records of customer CPNI approval was already calculated in (b) Customer Approval Documentation and Recordkeeping. As such, the Commission sees no additional annual burden for Notification Recordkeeping.
(5) Total “In House” Cost: $0
With no hourly burden, the Commission does not anticipate any “In House” Costs.
(e) Event Histories Recordkeeping.
(1) Number of Respondents: 2,935
(2) Frequency of Response: Recordkeeping requirement
(3) Total Number of Responses Annually: 978 (recordkeeping responses)
Sales personnel are required to obtain supervisor review for any proposed request to use CPNI for outbound marketing, and providers are required to maintain records of these events. However, not all covered providers will propose new uses of CPNI for outbound marketing purposes in any given year. The Commission estimates that one third of covered providers will propose a new use of CPNI in a given year.
2,935 respondents x (1/3) of whom propose new CPNI use/annum = 978 annual responses
(4) Total Annual Hourly Burden: 489 hours
The Commission estimates that respondents will require approximately 30 minutes (0.5 hours) annually to comply with the recordkeeping requirement that they record the date and purpose of the campaign, what products and services were offered to customers, and when they use customer CPNI for sales and marketing campaigns.
978 respondents x 0.5 hours/annual recordkeeping requirement = 489 hours
(5) Total “In House” Cost: $19,307
The Commission estimates that respondents will use personnel comparable in pay to a GS-7/Step 5 ($30.37/hour) Federal employee, plus 30% for overhead, to comply with the recordkeeping requirement:
978 respondents x 0.5 hours x $30.37/hour = $14,851
30% overhead = $ 4,456
Total: $19,307
(f) Compliance Certificate.
(1) Number of Respondents: 2,935
(2) Frequency of Response: Annual reporting requirement.
(3) Total Number of Responses Annually: 2,935 responses
2,935 respondents x 1 response/annum = 2,935 responses (reporting requirement)
(4) Total Annual Hourly Burden: 2,935 hours
The Commission estimates that respondents will take approximately 1 hour annually to comply with the requirement that they file their compliance certificate.
2,935 respondents x 1 hour/certification certificate = 2,935 hours
(5) Total “In House” Cost: $339,732
The Commission estimates that respondents will use personnel comparable in pay to a GS-15/Step 5 ($89.04/hour) Federal employee, plus 30% overhead, to prepare this compliance report.
2,935 respondents x 1 hour/compliance report x $89.04/hour = $261,332
30% overhead = $78,400
(g) Aggregate Customer Information Disclosure Requirements.
(1) Number of Respondents: 978
This rule applies to providers who use or disclose aggregate customer information for the purposes of marketing service to which the customer does not subscribe. Earlier, in part (e) Event Histories Recordkeeping, the Commission speculated that one third of all respondents will propose a new use of CPNI in a given year. We maintain that assumption here and assume that 2,935 respondents x (1/3) = 978 respondents, annually.
(2) Frequency of Response: On occasion reporting requirements.
(3) Total Number of Responses Annually: 978 responses (reporting requirement)
978 respondents x 1 response/annum = 978 responses
(4) Total Annual Hourly Burden: 1,956 hours
The Commission estimates that respondents will require approximately 2 hours to comply with the requirement.
978 respondents x 2 hours/disclosure requirements = 1,956 hours
(5) Total “In House” Costs: $77,224
The Commission assumes that a respondent will use personnel comparable in pay to a GS-7/Step 5 ($30.37/hour) Federal employee, plus 30% overhead, to comply with this disclosure requirement.
978 respondents x 2 hours/disclosure requirement x $30.37/hour = $59,403
30% overhead = $17,821
Total: $77,224
(h) CPNI Disclosure to Third Parties (47 U.S.C. § 222(c)(2))
(1) Number of respondents: 500
(2) Frequency of Response: On occasion reporting requirement; third party disclosure.
This obligation will arise when third parties that have obtained affirmative, written customer authorization request access to CPNI. We believe that, although all covered providers are subject to Section 222(c)(2), on average, covered providers will be required to respond to 500 or fewer requests annually for access to CPNI from third parties.
(3) Total Number of Responses Annually: 500 responses (third party disclosures)
500 respondents x 1 CPNI disclosure/annum = 500 responses
(4) Total Annual Hourly Burden: 500 hours
The Commission estimates that the respondents will require approximately one hour (1 hour) to respond annually to approximately 500 requests for access to CPNI from third parties, pursuant to affirmative written customer authorization. This obligation will arise when these third parties that have obtained affirmative written customer authorization request access to CPNI.
500 respondents x 1 hours/CPNI disclosures annually = 500 hours (third party responses)
(5) Total “In House” Cost: $19,741
The Commission assumes that respondents will use personnel comparable in pay to a GS-7/Step 5 Federal employee ($30.37/hour), plus 30% overhead, to provide this CPNI information to these third party requesters:
500 respondents x 1 hours/CPNI disclosure x $30.37/hour = $15,185
30% overhead = $ 4,556
Total: $19,741
(i) Safeguards Required for Use of CPNI.
(1) Number of Respondents: 5
(2) Frequency of Response: On occasion reporting requirement.
(3) Total Number of Responses Annually: 5
5 respondents x 1 response/annum = 5 responses (reporting requirement)
(4) Total Annual Hour Burden: 25 hours
The Commission believes that the instances where the respondents must report to the Commission any instances when the opt-out mechanisms did not work will require approximately five hours (5 hours) annually.
5 respondents x 5 hours/opt-out notification safeguard/annum = 25 hours
(5) Total “In House” Costs: $2,461
The Commission assumes that respondents will use personnel comparable in pay to a GS-14/Step 5 Federal employee ($75.70), plus 30% for overhead, to comply with this notification requirement.
5 respondents x 5 hours/annum x $75.70/hour = $1,893
30% overhead = $568
Total: $2,461
(j) Subscriber List Information Disclosure:
(1) Number of Respondents: 978
The Commission believes that there are approximately 978 telecommunications carriers providing telephone exchange service. We are unable to quantify the exact number and used the same percentages as the last submission from the total respondents:
1/3 of total respondents provide telephone exchange (1/3 x 2,935 = 978).
(2) Frequency of Response: On occasion reporting requirements (periodic responses/annum)
(3) Total Number of Responses Annually: 5,868 responses (third party disclosure requirements)
978 respondents x 6 responses/annum = 5,868 responses
(4) Total Annual Hourly Burden: 11,736 hours
The Commission estimates that, on average, most respondents will be required to provide subscriber list information to directory publishers six times a year, including requests for updated subscriber list information, and that the respondents will require approximately two hours in each instance to comply with this requirement.
978 respondents x 2 hours/response x 6 times/annum = 11,736 hours.
(5) Total “In House” Costs: $821,883
The Commission estimates that the respondents will use staff comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% overhead, to comply with this requirement that they provide updated subscriber list information to requesting directory publishers.
11,736 hours/subscriber list requests x $53.87/hour = $632,218
30% overhead = $189,665
Total: $821,883
(k) Notifications.
(1) Number of Respondents: 500
(2) Frequency of Response: On occasion reporting requirement; third party response.
(3) Total Number of Responses Annually: 500 responses (third party disclosure)
The Commission estimates that the respondents may receive approximately 500 requests from directory publishers annually for information on the carriers’ subscriber list information.
500 requests x 1 subscriber list request/annum = 500 responses
(4) Total Annual Hourly Burden: 500 hours
The Commission estimates that respondents will take approximately one hour to fulfill each directory publisher’s subscriber list information request, which the carrier must do at the time it is requested by the directory publisher, provided that the directory publisher has given advance notice, and the carrier’s internal systems permit the request to be filled within that time frame.
500 requests for subscriber list information x 1 hour/request = 500 hours (third party responses)
(5) Total “In House” Cost: $35,016
The Commission estimates that the respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% overhead, to comply with this requirement to provide the subscriber list information whenever directory publishers make such requests.
500 hours/subscriber list information request x $53.87/hour = $26,935
30% overhead = $8,081
Total: $35,016
(l) Disclosure of Contract Rates, Terms, and Conditions and Recordkeeping.
(1) Number of Respondents: 500
(2) Frequency of response: Recordkeeping requirements; third party disclosure
(3) Total Number of Responses Annually: 2,000 responses (recordkeeping and third party responses)
There are two recordkeeping requirements and one third party disclosure requirement for respondents, as explained in (a), (b), and (c) below. The Commission also estimates that respondents will receive approximately two requests annually to provide the contract disclosure information to third party directory publishers in (c) below.
(a) they maintain records on their contract rates, terms, and conditions for at least one year,
500 respondents x 1 recordkeeping for contract records/annum = 500 responses
(b) they maintain records for at least one year after the carrier provides subscriber list information to directory publishers,
500 respondents x 1 recordkeeping for subscriber list information/annum =500 responses, and
(c) they make these records available to the FCC and to any directory publisher upon request.
500 respondents x 2 disclosures to directory publishers/annum = 1,000 third party disclosures
Total: 500 + 500 + 1,000= 2,000 responses
(4) Total Annual Hour Burden: 1,500 hours
The Commission estimates that respondents will require approximately 30 minutes (0.5 hours) annually to comply with each of these two recordkeeping requirements below, (a) and (b). The Commission also estimates that respondents will require approximately one hour to furnish the records to directory publishers twice annually in (c) below.
(a) they maintain records on their contract rates, terms, and conditions for at least one year,
500 respondents x 1 recordkeeping requirement/annum x 0.5 hours/response = 250 hours
(b) they maintain records for at least one year after the carrier provides subscriber list information to directory publishers,
500 respondents x 1 recordkeeping requirement/annum x 0.5 hours/response = 250 hours, and
(c) they make these records available to the FCC and to any directory publisher upon request
500 respondents x 2 responses/annum x 1 hour/third party response = 1,000 hours (third party disclosure)
Total: 250 hours + 250 hours + 1,000 hours = 1,500 hours
(5) Total “In House” Costs: $105,048
The Commission estimates that respondents will use staff comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% overhead, to maintain these records and to disclose the contract and subscriber list information to publishers and the FCC, upon request, e.g., third party disclosure requirement.
250 hours/recordkeeping requirements x $53.87/hour = $13,468
250 hours/recordkeeping requirements x $53.87/hour = $13,468
1,000 hours/disclosure requirements x $53.87/hour = $53,870
$80,806
30% over head = $24,242
Total: $105,048
(m) Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access.
(1) Number of Respondents: 2,935
(2) Frequency of Response: Recordkeeping requirement; reporting requirement.
(3) Total Number of Responses Annually: 147 responses (recordkeeping and reporting)
The Commission believes that most respondents use a digital internal system to manage customer passwords, including to deal with forgotten and new passwords. The annual burden for password and back-up authentication methods, therefore, should be limited to new entrants.
(4) Total Annual Hourly Burden: 1,470 hours
The Commission believes that most respondents use a digital internal system to manage customer passwords, including back-up and authentication methods. Therefore, the burden of complying with this rule is the design of a digital platform that the respondent can use to automatically manage customer passwords. The design of this is an annual burden to new entrants only, as providers who entered the market in the past are believed to have both components already developed.
The Commission estimates that the respondents will require approximately ten hours to design a digital platform that manages their customers’ passwords.
147 respondents x 10 hours/digital platform design = 1,470 hours for digital platform
(5) Total “In House” Costs: $102,946
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% overhead, to design the customer password management platform. The rules have been in place since 2007, and we believe that only new entrants to the market will need to create the notification. This gives a burden of:
147 respondents x 10 hours/digital platform design x $53.87/hour = $79,189
$79,189
30% overhead = $23,757
Total: $102,946
(n) Notification of Account Changes.
(1) Number of Respondents: 2,935
(2) Frequency of Response: On occasion reporting requirement; recordkeeping requirement.
(3) Total Number of Responses Annually: 147 responses (reporting and recordkeeping)
Again, as in (m), Password and Back-up Authentication, the Commission believes that most respondents use a digital internal system to manage their customers’ passwords. Furthermore, the Commission believes that it is reasonable to assume that the digital system developed in (m) to manage customer passwords is also used to provide the notifications of account changes covered by (n).
The burden for notifying customers of account changes, therefore, should be limited to new entrants, and should only consider the burden of adding the additional features described in (n) to the digital password management system developed by new entrants in (m).
(4) Total Annual Hourly Burden: 4,410 hours
Having already developed the digital password management system in (m), the Commission estimates that new entrants will require an additional thirty hours to add all of the necessary notifications of account changes required by (n) to the digital system.
147 respondents x 30 hours/digital platform design = 4,410 hours to enhance digital password system
The Commission estimates that respondents will require approximately one hour to design the notification. The rules have been in place since 2007, and we believe that most carriers have designed the notification and only new entrants to the market will need to create it. We estimate approximately 10% of the 2,800 respondents are new entrants (2,800 x 10% = 280).
280 respondents x 1 hour/notification design = 280 hours
It is difficult to estimate the time involved because the Commission does not know how many of the respondents’ customers change their account information annually. We estimate that the respondents’ 47,200,000 customers may change their account information once annually, which will require approximately 6 seconds (0.002 hours) for the respondents to transmit this notification to these customers:
47,200,000 customers x 0.002 hours/notification transmission = 94,400 hours
Total: 280 hours + 94,400 hours = 94,680 hours
(5) Total “In House” Costs: $308,837
The Commission assumes that the respondents use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, plus 30% for overhead, to comply with the recordkeeping requirement:
4,410 hours x $53.87/hour = $237,567
$237,567
30% overhead = $ 71,270
Total: $308,837
(o) Customer notification of SIM change requests.
To provide customers with an early warning that their account may be subject to fraudulent activity, CMRS providers are required to provide immediate notification to a customer that a SIM change request associated with the customer’s account was made and sent in accordance with customer preferences, if indicated. The notification must be sent before the SIM change is effectuated, except to the extent otherwise required by the Safe Connections Act. This would include delivering a notification in the language of the customer’s choosing, if the CMRS provider permits communications preferences in other languages and the customer has previously indicated such choice. Compliance also may require system upgrades to handle increased customer notification volumes and development for pre-paid notifications. Providers have flexibility to determine the most appropriate methods to provide the required notifications, so that providers can account for the complexities of notifications in various contexts as well as the technical capabilities, accessibility needs, or broadband access of individual customers. Providers are permitted to use existing methods of notification that are reasonably designed to reach the customer associated with the account.
Immediate customer notification of SIM change requests:
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Third-party disclosure; design, development, and implementation of procedures.
(3) Total Number of Responses Annually: 91,250,000 responses
We conservatively estimate that approximately one quarter of wireless customers will request a SIM change each year. Assuming approximately 365,000,000 wireless customers x 0.25 = 91,250,000 responses
(4) Total Hourly Burden: 48,000 hours.
CMRS providers should already have processes in place to immediately notify customers of certain account changes involving CPNI in accordance with existing rules, which should enable them to build on these processes to provide immediate notification regarding SIM change requests, thereby minimizing potential burdens associated with this new rule. The record demonstrates that some providers already notify customers of SIM change requests in most instances and therefore will only need to update their processes to notify customers in all cases. Further, since we expect these notifications to be automated, the only cost is in designing and implementing the system.
For these reasons, the Commission estimates that respondents in the aggregate (i.e., certain respondents will require significantly more hours and many other respondents will require significantly less hours) will require an average of approximately 80 hours to build on existing processes to provide immediate notification to a customer that a SIM change request associated with the customer’s account was made, including employee training. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar immediate customer notification requirement for port-out requests adopted in this proceeding and to come into compliance with the Safe Connections Act and its implementing regulations.
Total Cumulative Burden Hours: 600 respondents x 80 hours = 48,000 hours
(5) Total “In House” Cost: $4,723,680
The Commission assumes that respondents will use personnel comparable in pay to a GS-14/Step 5 ($75.70/hour) Federal employee, plus 30% overhead, to develop, test, and implement procedures to provide immediate notification that a SIM change request was made.
Estimated Cumulative In-House Cost to Respondents: 48,000 x $75.70 = $3,633,600
30% overhead = $1,090,080
Estimated Total Cumulative In-House Cost to Respondents: = $4,723,680
Average Cost per Respondent to Design, Develop, and Implement: $4,723,680/600 = $7,873
(p) Notice of account protection measures.
CMRS providers are required to provide customers with notice of any account protection measures offered, including those to prevent SIM fraud. Providers have flexibility to design the format and content of the required notice, but must use clear and concise language and make the notice easily accessible via provider websites and applications. The record demonstrates that some wireless providers have already developed content to educate customers about some account protection measures.
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Third-party disclosure; development and implementation of procedures.
Total Number of Responses: 600
Total Hourly Burden: 3,000 hours
Given that providers already develop content to educate customers about their product and service offerings and display such content on their websites and applications, the Commission believes that compliance with this requirement will have a negligible impact. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar account protection measures to prevent port-out fraud adopted in the same SIM Swap/Port-Out Fraud proceeding. The Commission estimates that respondents will require approximately 5 hours to develop and implement this measure. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar account protection measures to prevent port-out fraud.
Total Cumulative Burden Hours: 600 respondents x 5 hours = 3,000 hours
Total “In House” Cost: $210,093
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee to develop content to provide customers with notice of any account protection measures offered, including to prevent SIM fraud.
Estimated Total Cumulative In-House Cost to Respondents: 3,000 x $53.87= $161,610
30% overhead = $ 48,483
= $210,093
Average Cost per Respondent to Develop and Implement: $210,093/600 = $350
(q) Processes for receiving SIM fraud reports.
CMRS providers are required to maintain a clearly disclosed, easy-to-use and transparent process for reporting SIM swap fraud, and promptly provide customers, at no cost, with documentation of fraud involving their accounts upon request. Providers have flexibility to determine the form and content of such documentation.
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Development and implementation of reporting procedures; third party disclosure
(3) Total Number of Responses Annually: 457,450 responses
Development of process for reporting fraud (600) + disclosure of fraud reporting process (600) + documentation of fraud upon customer request (0.5%39 of 91,250,000 SIM change requests= 456,250) = 457,450 responses
(4) Total Hourly Burden: 111,625 hours
While we expect that most wireless carriers already have a method for customers to report fraud, the Commission estimates that respondents will require approximately 60 hours to modify their systems to develop an easy-to-use and transparent process for reporting SIM swap fraud and an additional 10 hours to disclose and maintain that process. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar requirement to make available a process for reporting fraudulent ports. In addition, we expect that provision of documentation of SIM fraud will be automated and integrated into the fraud reporting process in most cases, imposing minimal burden hours (0.1 hours per request) for most providers once the reporting system has been implemented.
Modification and development of systems for reporting fraud: 100 hours x 600 responses = 60,000 hours
Maintenance and disclosure of SIM fraud reporting process: 10 hours x 600 responses = 6,000 hours
Providing documentation of fraud upon request: 0.1 hours x 456,250 responses = 45,625 hours
Total Cumulative Burden Hours: 60,000 hours + 6,000 hours + 45,625 hours = 111,625 hours
Total “In House” Costs: $ 7,817,212
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee to develop and implement a fraud reporting process, disclose their process for reporting fraud, and provide documentation to customers upon request.
Estimated Total Cumulative In-House Cost to Respondents: 111,625 x $53.87 = $6,013,240
30% overhead = $1,803,972
$7,817,212
Average Cost per Respondent to Develop and Implement: $7,817,212/600 = $13,029
(r) SIM change recordkeeping.
CMRS providers are required to track and maintain on a prospective basis for a minimum of three years, the total number of SIM change requests they received, the number of successful SIM change requests, the number of failed SIM change requests; the number of successful fraudulent SIM change requests, the average time to remediate a fraudulent SIM change, the total number of complaints received regarding fraudulent SIM change requests, the authentication measures the CMRS provider has implemented, and when those authentication measures change. Such data and information shall be provided to the Commission upon request. Although CMRS providers already collect some information about SIM change requests, the record indicates they do not collect all of the data required to meet the recordkeeping obligations. CMRS providers will therefore need to undertake system updates to gather and retain each data point.
SIM change recordkeeping procedures:
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Recordkeeping requirement; development and implementation of procedures.
Total Number of Responses Annually: 600
Total Hourly Burden: 72,000 hours
The Commission estimates that respondents will require approximately 120 hours to develop and implement this measure. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar procedures to resolve fraudulent ports in the Local Number Portability rules part of this proceeding.
Total Cumulative Burden Hours: 600 respondents x 120 hours = 72,000 hours
Cost: $5,042,232
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee to develop procedures to track and maintain certain information about SIM change requests and the authentication methods used to complete such requests.
Estimated Total Cumulative In-House Cost to Respondents: 72,000 x $53.87= $3,878,640
30% overhead= $1,163,592
$5,042,232
Average Cost per Respondent to Develop and Implement: $5,042,232/600 = $8,404
(s) Notification of Data Breaches.
Total Number of Respondents: 1,623
Frequency of Response: On occasion reporting requirements; third party disclosure.
Total
Number of Responses Annually: 3,246 responses (reporting and
customer notification)
1,623
incidents x 1 notification to online breach reporting facility =
1,623 responses
1,623
incidents x 1 customer notification
= 1,623
responses
Total =
3,246 responses
Total Cumulative Annual Hourly Burden:
It is difficult to estimate the time involved because this reporting requirement only exists in the event of a data breach. The Data Breach Order expanded the definitions of “breach” and “covered data.” While the rules previously covered only CPNI, the rules now also apply to a broader set of personally identifiable information (PII). For the purposes of the Commission’s breach notification rules, PII is defined as: (i) An individual’s first name or first initial, and last name, in combination with any government-issued identification numbers or information issued on a government document used to verify the identity of a specific individual, or other unique identification number used for authentication purposes; (ii) An individual’s user name or e-mail address, in combination with a password or security question and answer, or any other authentication method or information necessary to permit access to an account; or (iii) Unique biometric, genetic, or medical data. As used in the Commission’s rules, “personally identifiable information” does not include information about an individual that is lawfully made available to the general public from federal, state, or local government records or widely distributed media. “Breach” is defined to include access to, use, or disclosure of “covered data” that is not authorized or that exceeds authorization. This definition also includes inadvertent unauthorized access to, use, or disclosure of covered data. However, this expansion is paired with an important limitation. A breach does not include good faith acquisition of covered data by an employee or agent of a covered provider, as long as the information is not further disclosed or improperly used. It is no longer necessary to report breaches affecting fewer than 500 customers where the breach is not reasonably likely to harm customers. If it can be reasonably determined that a breach has affected fewer than 500 customers and is not reasonably likely to harm those customers, there is not a reporting obligation, except that covered providers must file an annual summary of such breaches in the central online breach reporting facility. The estimate of breaches is based on information regarding the number of breaches reported to the central online breach reporting facility, which has been increased by twenty percent. The Commission estimates that respondents will require approximately 48 minutes (0.8) hours) to compile information related to a breach and notify law enforcement officials and the FCC of their customer’s data breach via the central online reporting facility. The Commission estimates that these same respondents will also require approximately 6 minutes (0.10 hours) to notify a customer whose data has been breached.
1,623 responses x 0.8 hours/data breach compile and notify to online reporting = 1,298 hours
1,623 responses x 0.1 hours/data breach notification to customer = 162 hours
Total cumulative annual hours = 1,460 hours
Total "In-House" Costs: $143,748
The Commission believes that respondents will use personnel comparable in pay to a GS-14/Step 5 ($75.70) Federal employee to comply with the two notification requirements:
1,623 responses x 0.8 hours (compile and notify reporting facility) x $75.70 = $98,289
1,623 responses x 0.1 hours (notify customer) x $75.70 = $12,286
= $110,575
30% overhead = $ 33,173
Total cumulative estimated annual cost = $143,748
(t) Breach Notification Recordkeeping.
All carriers are required to maintain a record of any breaches discovered, notifications made to the central reporting facility, and notifications made to customers. The record shall include, if available, dates of discovery and notification, a detailed description of the covered data that was the subject of the breach, the circumstances of the breach, and the bases of any determinations regarding the number of affected customers or likelihood of harm as a result of the breach. Records shall be maintained for a minimum of two years.
Total Number of Respondents: 2,935
Frequency of Response: Recordkeeping requirement.
Total Number of Responses Annually: 2,935 responses (recordkeeping)
It is difficult to estimate how many providers will actually experience a data breach, and whether certain providers will experience multiple breaches. We believe it is likely that most providers will not experience any data breach. However, all providers are required to maintain records. If a provider does not experience a data breach, we assume it will take less than 2 hours to maintain a record. It may take a provider experiencing a single or multiple data breaches significantly more time to maintain records. For those reasons, for purposes of this estimate, we assume that on average it will take respondents approximately two hours to maintain records to comply with this requirement. The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee, to maintain this recordkeeping requirement.
Total Cumulative Annual Hourly Burden: 2,935 respondents x 2 hours = 5,870 hours
Total Cumulative In House Costs to Maintain Data Breach Records:
5,870 recordkeeping hours/annum x $53.87/hour = $316,217
30% overhead = $ 94,865
Estimated Total Cumulative In House Costs $411,082
INFORMATION COLLECTION BURDEN ESTIMATES40
Information Collection |
|
Number of Respondents |
Number of Responses |
Time per Response(Hours) |
Total Hourly Burden |
“In House” Cost |
Total
|
a. Customer Approval |
Notification Design |
2,935 |
147 |
2 |
294 |
$22,256 |
$ 131,879 |
Digital Platform Design |
2,935 |
147 |
10 |
1,470 |
$ 79,189 |
||
b. Customer Approval Documentation and Recordkeeping |
Recordkeeping |
2,935 |
147 |
2 |
294 |
$15,838 |
$20,589 |
c. Notification of CPNI Rights Requirement41 |
Automatic Notification Design |
2,935 |
2935 |
0 |
0 |
$ 0 |
$ 0 |
d. Notification Recordkeeping42 |
Recordkeeping |
2,935 |
2935 |
0 |
0 |
$ 0 |
$ 0 |
e. Event Histories Recordkeeping |
Recordkeeping |
2,935 |
978 |
0.5 |
489 |
$ 14,851 |
$ 19,307 |
f. Compliance Guidance |
Certificate |
2,935 |
2,935 |
1 |
2,935 |
$261,332 |
$339,732 |
g. Aggregate Customer Information Disclosure Requirements |
Recordkeeping |
978 |
978 |
2 |
1,956 |
$59,403 |
$77,224 |
h. CPNI Disclosure to Third Parties |
Disclosure |
500 |
500 |
1 |
500 |
$15,185 |
$19,741 |
i. Safeguards Required for Use of CPNI |
Safeguards |
5 |
5 |
5 |
25 |
$ 1,893 |
$2,461 |
j. Subscriber List Information Disclosure Requirement for Providers of Telephone Exchange Service |
Disclosure |
978 |
5,868 |
2 |
11,736 |
$632,218 |
$821,883 |
k. Notifications |
Notifications |
500 |
500 |
1 |
500 |
$26,935 |
$35,016 |
l. Disclosure of Contract Rates, Terms, and Conditions and Recordkeeping |
Recordkeeping |
500 |
500 |
0.5 |
250 |
$13,468 |
$105,048 |
Records and Contracts |
500 |
500 |
0.5 |
250 |
$13,468 |
||
Disclosures to Publishers |
500 |
1,000 |
1 |
1,000 |
$53,870 |
||
m. Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access |
Recordkeeping |
2,935 |
147 |
10 |
1,470 |
$79,189 |
$102,946 |
n. Notification of Account Changes |
Notification Design |
2,935 |
147 |
30 |
4,410 |
$237,567 |
$308,837 |
o. Customer notification of SIM change requests |
Notifications |
600 |
91,250,000 |
80 |
48,000 |
$3,633,600 |
$4,723,680 |
p. Notice of account protection measures. |
Notice |
600 |
600 |
5 |
3,000 |
$161,610 |
$210,093 |
q. Procedures to resolve fraudulent SIM changes |
Process Design |
600 |
600 |
100 |
60,000 |
$6,013,240 |
$7,817,212 |
Disclosure of Process |
600 |
600 |
10 |
6,000 |
|||
Documentation disclosure upon request |
600 |
456,250 |
0.1 |
45,625 |
|||
r. SIM change recordkeeping |
Recordkeeping |
600 |
600 |
120 |
72,000 |
$3,878,640 |
$5,042,232 |
s. Notification of CPNI Security Breaches |
Disclosure to online reporting |
1,623 |
1,623 |
0.8 |
1,298 |
$98,289
|
$143,748
|
Disclosure to customer |
1,623 |
1,623 |
0.1 |
162 |
$12,286 |
||
t. Breach Notification and Recordkeeping |
Recordkeeping |
2,935 |
2,935 |
2 |
5,870 |
$316,217
|
$411,082
|
CUMULATIVE TOTALS |
|
2,935 |
91,735,200 |
|
269,534
|
$15,640,544 |
$20,332,710 |
Total Number of Respondents: 2,935
Total Number of Responses Annually [Cumulative]: 91,735,200
Total Annual “In House” Costs [Cumulative]: $20,332,710
Total Annual Hourly Burden [Cumulative]: 269,534 hours
13. Estimates of the cost burden of the collection to respondents. This is the Commission’s estimate of the annual cost burden to respondents for the information collection requirements:
(a) Total annualized capital/startup costs: $ 0
(b) Total annualized costs (O&M): $ 0
(c) Total annualized cost requested: $ 0
14. Estimates of the cost burden to the Commission. There will be few if any costs to the Commission because the information collection requirements affect the respondents and third parties, e.g., subscriber list publishers, etc., and the Commission is not required to review these actions and activities, in most instances.
15. Program changes or adjustments. The Commission made the following adjustments to these estimates:
As noted above, the Commission has updated the estimate of the total number of respondents to these information collections, based on the total number of annual CPNI reports filed for calendar year 2023, the most recent year for which we have such data.43 This re-calculation brings the current estimated number of respondents to 2,935, up from the previous estimate of 2,800 (+135). As discussed in this Supporting Statement, we believe that most respondents have previously developed and currently use a digital internal system to manage and respond to many compliance obligations. Because of this, the burden for many compliance obligations is now limited to new entrants. As a result of these adjustments, the total responses went from 94,432,333 to 20,369, resulting in a change in responses of -94,411,964. Similarly, as a result of these adjustments, the burden hours went from 228,981 to 27,579, resulting in a change in burden hours of -201,402. However, implementation of program changes as a result of new obligations in the SIM Swap and Port-Out Fraud Order and the Data Breach Reporting Requirements Order will require additional hours to design, develop, test, and implement procedures, engage in recordkeeping, and provide notices to customers. The Commission has also removed the “cost study” and “certification” burdens. The Commission deleted the “cost study” section because it is not an information collection, but rather a procedure to help ensure rates for subscriber list information are reasonable. The Commission also deleted the “certification” section because this type of certification is not an information collection. These program changes have resulted in corresponding upward adjustments to the burden hours of +238,245 (241,955-3,710) and an upward adjustment to the responses of + 91,712,431 (91,714,831- 2,400 responses). In addition, the total annualized cost estimate has decreased from $4,000,000 to $0 (-$4,000,000) as a result of the Commission’s determination that the “cost study” element of the collection is not a collection under the Paperwork Reduction Act. Taken together, the adjustments and program changes have resulted in downward adjustments to the total figures for the number of responses from (-2,699,533) and upward adjustments to the total burden hours from (+36,843) for the collections described in this supporting statement.
16. Collections of information whose results will be published. The Commission does not anticipate publishing any of the information collected.
17. Display of expiration date for OMB approval of information collection. The Commission is not seeking approval to not display the expiration date for Office of Management and Budget (OMB) approval of the information collection. OMB will publish the OMB Control number, title, and expiration date at https://www.reginfo.gov/public/do/PRAMain.
18. Exceptions to certification for Paperwork Reduction Act submissions. The Commission is reporting an exception to the Certification Statement. In the 60-day notice published in the Federal Register on June 25, 2024 (89 FR 53079), the Commission stated the total annual responses as 24,427 and the total annual burden hours as 206,203. In this Supporting Statement, the total annual responses increased from 24,427 to 91,735,200 (+91,710,773) and the total annual burden hours increased from 206,203 to 269,534 (+63,331). As explained above, the Commission has since determined that certain requirements are not information collections under the PRA, and has also revised the burden estimates upward in response to information provided in comments to the Federal Register notice. Further, the Commission has since determined that notices provided to customers regarding SIM changes and documentation of SIM fraud would be considered “responses” that need to be accounted for. These adjustments are reported in the 30-day notice and reflected in this submission to OMB. There are no other exceptions to the Certification Statement.
B. Collections of Information Employing Statistical Methods:
The Commission does not anticipate that the collection of information will employ statistical methods.
1 The original CPNI rules were adopted on August 23, 1999 and released on September 9, 1999. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Local Competition Provisions of the Telecommunications Act of 1996; and Provisions of Directory Listing Information under the Telecommunications Act of 1934, as amended, CC Docket Nos. 96-115, 96-98, 99-273, Third Report and Order, Second Order on Reconsideration, and Notice of Proposed Rulemaking, 14 FCC Rcd 15550 (1999) (Third R&O).
2 Other requirements adopted in these orders either do not include information collections or are part of other information collections for which the Commission will request separate approval.
3 We refer to the various information collection requirements by letter, e.g., (a) or (o), as a shorthand to promote cross referencing within the supporting statement.
4 Use of the term “wireless provider” is intended to encompass providers of commercial mobile radio service (CMRS) as defined in section 20.3 of the Commission’s rules. 47 CFR § 20.3 (defining commercial mobile radio service as a mobile service that is “(1) provided for profit, i.e. with the intent of receiving compensation or monetary gain; (2) an interconnected service; and (3) available to the public, or to such classes of eligible users as to be effectively available to a substantial portion of the public,” or the “functional equivalent of such a mobile service.”
5 The following information collection requirements are not being modified, but, as explained in paragraph 12, in many cases the Commission is revising the burden estimates for these requirements.
6 Implementation Of The Telecommunications Act Of 1996:Telecommunications Carriers' Use Of Customer Proprietary Network Information And Other Customer Information; CC Docket No. 96-115 Implementation Of The Non-Accounting Safeguards Of Sections 271 And 272 Of The Communications Act Of 1934, As Amended CC Docket No. 96-149, 2000 Biennial Regulatory Review—Review Of Policies And Rules Concerning Unauthorized Changes Of Consumers’ Long Distance Carriers, CC Docket Nos. 96-115, 96-149, 00-257, Third Report and Order and Third Further Notice of Proposed Rulemaking, 17 FCC Rcd 14860 (2002) (Third R&O and Third FNPRM).
7 Third R&O.
8 On September 13, 2004, the FCC modified the information collection requirement described in paragraph (l). Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Memorandum Opinion and Order on Reconsideration, 19 FCC Rcd 18439 (2004) (FCC 04-206).
9 See Supporting Survivors of Domestic and Sexual Violence et al., WC Docket Nos. 22-238, 11-42, and 21-450, Report and Order, FCC 23-96 (2023) (Safe Connections Order). The Safe Connections Report and Order implements the Safe Connections Act of 2022. The Safe Connections Act of 2022, Pub. L. No. 117-223, 136 Stat. 2280 (Safe Connections Act or SCA), which is codified at 47 U.S.C. § 345, requires wireless providers to separate lines from a multi-line account upon request of a survivor of domestic violence and other related crimes and abuses. 47 U.S.C. § 345(b)(1).
10 The FCC has no direct involvement in the collection of the information on individuals or households, i.e., the information collection requirements affect the providers of telecommunications, interconnected VoIP, and TRS, who must abide by the requirements of 47 U.S.C. § 222 and § 345 of the Act. The Commission believes, therefore, that 47 U.S.C. § 222 and § 345 provide sufficient safeguards to protect the information on individuals or households that these respondent providers collect or use.
11 CCA SIM Swap and Port-Out Fraud PRA Comments at 2.
12 NCTA SIM Swap and Port-Out Fraud PRA Comments at 1.
13 Id. at 3.
14 Id. at 4.
15 CTIA SIM Swap and Port-Out Fraud PRA Comments at 2.
16 Id. at 5.
17 Id. at 8-9 (detailing the various internal steps required for providers to implement the new requirements).
18 See NCTA PRA Comments at 3; CTIA PRA Comments at 5.
19 Id. at 3. CCA estimates that initial compliance with the account locking requirements is estimated to take at least between 750-800 hours of work at a cost of no less than between $80,000-$90,000 per carrier for vendor services and carrier resources required for implementation. Id.
20 Id. at 4.
21 Id.
22 Id.
23 CTIA SIM Swap and Port-Out Fraud PRA Comments at 11-16.
24 SIM Swap and Port Out Fraud Order at paras. 67, 72.
25 CCA SIM Swap and Port-Out Fraud PRA Comments at 4.
26 CTIA SIM Swap and Port-Out Fraud PRA Comments at 14. Although CTIA implicitly acknowledges a difference between rules that require providers to provide customers documentation of SIM fraud and rules that require providers to investigate and remediate fraud, id., it nonetheless focuses on burden associated with the latter, despite any such burdens not being “information collection” burdens for PRA purposes because “investigation and mitigation” are not collections of information.
27 CCA SIM SWAP and Port-Out Fraud PRA Comments at 3.
28 SIM Swap and Port Out Fraud Order at para. 20.
29 NCTA SIM Swap and Port-Out Fraud PRA Comments at 4-5.
30 CCA SIM Swap and Port-Out Fraud PRA Comments at 5.
31 See Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Order, DA 24-649 (WCB July 5, 2024). The Bureau also found that waiver of the rules until March 10, 2025 would not serve the public interest.
32 Id. at 17.
33 See CTIA PRA Comments at 18; CCA PRA Comments at 3.
34 There are approximately 2,935 providers of telecommunications, interconnected VoIP, and TRS that might be subject to our notification requirement; however, to the extent providers do not choose to use CPNI or do not want to market new service categories using CPNI, the information collection requirements would not apply to them.
35 The August 2023 Voice Telephone Service Report, Table 2, states that as of June 2022, there were 59 facilities-based mobile providers in the United States. See https://www.fcc.gov/voice-telephone-services.report. The most recent version is as of June 30, 2022.
36 To get an estimate of 540 MVNOs, the Commission used Table 1.12 in the most recent Universal Services Monitoring Report, which lists 594 mobile providers that submitted Form 499 data (i.e., which paid into the Universal Service Fund). From that number, the Commission subtracted the 59 facilities-based mobile providers facilities and rounded up to 540.
37 47 C.F.R. § 2009(e). The annual certification filing for each calendar year is due no sooner than January 1, but no later than March 1. FCC Enforcement Advisory - Telecommunications Carriers and Interconnected VoIP Providers Must File Annual Reports Certifying Compliance with Commission Rules Protecting Annual CPNI Certifications Due March 1, 2024, EB Docket No. 06-36, Public Notice, DA 24-125 (Enf. Bur. 2024). The annual CPNI certifications may be filed: (1) using the Commission’s web-based application; (2) using the Commission’s Electronic Comment Filing System (ECFS); or (3) by filing paper copies. The Commission’s web-based application can be found at http://apps.fcc.gov/eb/CPNI. Any paper filings submitted to the Commission are then added to the FCC’s ECFS Docket No. 06-36.
38 In this supporting statement, the Commission uses the General Schedule Salary Table for Washington-Baltimore-Arlington, DC-MD-VA-WV-PA, as of January 2024.
39 The record in the SIM Swap and Port-Out Fraud proceeding indicates that over 99% of SIM change requests are legitimate.
40 See page 9 of this Supporting Statement discussing the removal of the Cost Study and Certifications portions of this information collection (previously discussed in sections “l” and “m” of this collection).
41 As discussed above, the Commission believes a respondent will provide customers with their CPNI Rights at the same time at which the respondent solicits their CPNI approval. As such, any burden from Notification of CPNI Rights is subsumed within the automated system and notification devised in part (a) Customer Approval. This results in this subsection, Notification of CPNI Rights, having an annual hourly burden of zero. With no hourly burden, the Commission does not anticipate any “In House” Costs.
42 As explained above, the Commission believes it is reasonable to assume that a respondent will keep records of its notifications to customers of their CPNI rights using the same internal digital system that the respondent uses to record customers’ CPNI approval. The burden to respondents of modifying their internal digital systems to keep records of customer CPNI approval was already calculated in (b) Customer Approval Documentation and Recordkeeping. As such, the Commission sees no additional annual burden for Notification Recordkeeping. With no hourly burden, the Commission does not anticipate any “In House” Costs.
See section 12.a., supra.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | 3060-0715 |
| Author | Thomas.Butler |
| File Modified | 0000-00-00 |
| File Created | 2024-10-30 |