The Federal Communications Commission (FCC) proposed a landmark enforcement action against Lingo Telecom, a voice service provider, for violations of caller ID authentication rules under the STIR/SHAKEN framework. This proposal followed the transmission of thousands of spoofed robocalls, including deepfake audio impersonating President Biden, sent to New Hampshire voters just days before the state’s 2024 primary election. The FCC’s Enforcement Bureau later on adopted a Consent Decree with Lingo Telecom, resolving the matter and imposing a $1 million civil penalty, reduced from the original proposed $2 million.
The Lingo Telecom enforcement action
The FCC found that Lingo Telecom had:
- Failed to verify the legitimacy of caller ID information on thousands of calls using STIR/SHAKEN “A-level” attestations.
- Allowed traffic with spoofed caller IDs to pass through its network without proper due diligence.
- Enabled the misuse of generative AI voice cloning technology for misleading robocalls in violation of FCC rules and the Telephone Consumer Protection Act (TCPA).
These actions resulted in a Notice of Apparent Liability for Forfeiture (NAL) proposing a $2 million fine. Following review, the FCC entered into a Consent Decree that included a reduced fine of $1 million, the implementation of an enhanced compliance plan, and formal closure of the investigation.
Timeline to comply
Under the Consent Decree adopted on August 21, 2024, Lingo Telecom is required to:
- Appoint a Compliance Officer within 30 calendar days.
- Implement a detailed Compliance Plan within 90 days, including KYC protocols and attestation review.
- Distribute a Compliance Manual and train employees within 60 days.
- Submit regular Compliance Reports at 90 days, 12 months, and annually thereafter for three years.
- Pay the $1 million penalty in four instalments over a one-year period.
The FCC emphasised that noncompliance could extend the three-year monitoring period and result in additional penalties.
What happened
On 21 January 2024, two days before the New Hampshire primary, 9,581 voters received calls using a cloned voice of President Biden that falsely instructed them not to vote. The caller ID displayed the number of an innocent local political operative.
The calls originated through a chain of actors, Steve Kramer, Voice Broadcasting Corp, and Life Corp, but were transmitted by Lingo Telecom, which applied full “A-level” attestation, suggesting full trust in the caller ID data.
Lingo Telecom relied on outdated customer certifications and long-term client relationships without verifying whether the number used was authorised by the calling party.
The FCC’s findings
The FCC determined that:
- Lingo Telecom violated section 64.6301(a) of the Commission’s rules by misapplying STIR/SHAKEN attestations.
- The company lacked proper internal controls and failed to independently verify caller ID legitimacy.
- Lingo applied “A-level” attestation to 3,978 of the calls even though the numbers were not verified to be associated with the calling party.
- Its policies allowed customers to certify their own compliance without further vetting.
The FCC concluded that these failures weakened the integrity of the STIR/SHAKEN framework and enabled bad actors to misuse generative AI for harmful robocalls.
What organisations can learn from the Lingo Telecom enforcement notice
This Lingo Telecom enforcement action is a clear warning to voice service providers and telecom operators, lessons include:
- Do not rely solely on customer certifications. Providers must conduct independent verification of caller ID data, especially for high-attestation levels.
- Update and implement strong KYC procedures. The FCC now expects providers to gather extensive information and validation from all customers and upstream providers.
- Be prepared for AI-driven abuse. Robocalls using deepfake voices are now explicitly treated as “artificial” under the TCPA, triggering federal enforcement.
The FCC’s action underscores a broader regulatory shift to address the convergence of AI, telecommunications, and consumer protection. Businesses and telecom providers must strengthen their compliance posture now before they face enforcement action of their own.
Actions you can take
- ensure that you direct market lawfully by joining Michalsons data protection programme and working through the principled direct marketing module;
- implement good policies by asking Michalsons to review or assist you with drafting proper policies;
- ensure your employees understand principled direct marketing by asking Michalsons to conduct training and awareness sessions.
