RMD Database and Robocall Mitigation in 2026: Confirmed Requirements, KYC Predictions, and What AI Voice Providers Must Do Now

RMD-Database-and-Robocall-Mitigation-in-2026--Confirmed-Requirements,-KYC-Predictions,-and-What-AI-Voice-Providers-Must-Do-Now Title Card With Viirtue Branding
The Robocall Mitigation Database stopped being a one-time filing in 2026. New FCC rules now carry a $10,000 base fine for inaccurate filings, annual recertification is mandatory every March 1, and two separate rulemakings adopted this spring, Know Your Customer and Know Your Upstream Provider, are about to reshape how voice providers vet their customers and their upstream partners. This guide separates what the FCC has already confirmed from what is still proposed, and breaks down what traditional voice providers and AI voice agent vendors each need to do differently in 2026. If you operate any kind of PSTN-connected voice service, this is the regulatory map you need before your next RMD recertification window.

If you operate a voice service in 2026, whether that is traditional VoIP, a CPaaS platform, a CCaaS deployment, or an AI voice agent product, the Robocall Mitigation Database stopped being a one-time registration this year. It is now an annual certification regime with real fines, real removal consequences, and a regulatory roadmap pointed squarely at customer and upstream provider identity verification.

This guide separates what the FCC has already adopted from what is still on the proposed rulemaking docket. The confirmed sections are sourced to FCC orders and Federal Register publications. The predicted sections are labeled clearly and explain where the agency has signaled it is heading, and what that means for your compliance calendar over the next 12 to 24 months.


TL;DR

Quick Answer: The Robocall Mitigation Database is the FCC's registry where every U.S. voice service provider certifies its STIR/SHAKEN status and robocall mitigation plan. As of 2026, RMD filings must be recertified annually by March 1, and inaccurate filings carry a $10,000 base fine. AI-generated voices have required prior express consent under the TCPA since February 2024, and two new FCC rulemakings adopted in April and May 2026 are about to formalize Know Your Customer and Know Your Upstream Provider obligations for voice and AI voice agent providers.

What Is the Robocall Mitigation Database?

The Robocall Mitigation Database is the FCC's public registry where U.S. voice service providers, intermediate providers, gateway providers, and MVNOs certify their efforts to combat illegal robocalls. That certification covers two things: the extent of a provider's STIR/SHAKEN caller ID authentication deployment, and the specific robocall mitigation practices it applies on its network. RMD filings are publicly searchable, and downstream providers are prohibited from accepting traffic from voice providers that are not properly registered.

The RMD was built under the TRACED Act framework as a centralized accountability mechanism. Every originating voice service provider has to certify one of three things: full STIR/SHAKEN implementation, partial implementation paired with a mitigation plan, or non-implementation paired with a detailed mitigation plan explaining the reasonable steps the provider takes to avoid originating illegal robocalls.

Who actually has to file? Every voice service provider, intermediate provider, and gateway provider operating in the United States. As of 2026, that explicitly includes Mobile Virtual Network Operators, which the FCC reaffirmed in a February 2026 Enforcement Advisory.

MSP Takeaway

If your business resells VoIP, SIP trunking, or AI voice agents with real phone numbers, you are very likely an originating voice service provider for RMD purposes, even if your underlying network runs on a wholesale partner. The reseller relationship does not exempt you from filing independently.


What Is Robocall Mitigation?

Robocall mitigation is the set of operational, technical, and procedural controls a voice service provider implements to prevent illegal robocalls from originating on, or transiting through, its network. Core practices include STIR/SHAKEN caller ID authentication, customer identity verification, traceback request participation, call analytics and blocking, contractual obligations on downstream customers, and ongoing monitoring of suspicious traffic patterns.

Mitigation is not the same thing as STIR/SHAKEN. STIR/SHAKEN is a specific technical framework for cryptographically signing caller ID information to prove a call has not been spoofed. Robocall mitigation is the broader category of practices a provider uses to keep illegal calls off its network in the first place, regardless of how far along its STIR/SHAKEN deployment is.

A compliant mitigation plan typically documents the provider's STIR/SHAKEN status, identity verification practices for new customers, contractual prohibitions on illegal call origination, analytics and blocking technologies, traceback response procedures, and the operational team responsible for compliance. The FCC requires the plan to be filed in the RMD and updated within 10 business days of any material change.

Pro Tip: Treat your mitigation plan as a living document, not a form you fill out once. The FCC's new public deficiency reporting mechanism means competitors and consumer advocacy groups can now flag stale filings directly, not just the Enforcement Bureau.

Confirmed: New RMD Rules Effective February 5, 2026

The FCC adopted stricter RMD filing requirements in late 2024, and the final rule was published in the Federal Register on January 6, 2026, with key provisions taking effect on February 5, 2026. The changes are operationally significant for any provider with an active filing.

Higher base fines top the list. The FCC established a $10,000 base forfeiture for each violation involving false or inaccurate RMD information, and a $1,000 base forfeiture for failure to update RMD information within the required 10 business day window after a material change. These are continuing violations, meaning each day of non-compliance can compound the total.

Mandatory two-factor authentication for RMD access is also final, with the technical rollout still pending from the Wireline Competition Bureau and Office of the Managing Director. A new public deficiency reporting mechanism gives competitors, traceback partners, and consumer advocacy groups a direct channel to flag filings they believe are inaccurate, which raises the practical odds that a stale filing gets noticed before your next recertification window. The FCC is also preparing additional best practices guidance for filers, which signals the bar for an adequate mitigation plan will keep rising.

$10,000
Base forfeiture per violation for inaccurate RMD filings, effective February 5, 2026. Failure to update within 10 business days carries a separate $1,000 base fine.

These rules are final, in effect, and being enforced. For the full mechanics of the recertification window and how it interacts with STIR/SHAKEN third-party signing rules, our STIR/SHAKEN and RMD filing requirements guide walks through the full filing process.


Confirmed: Annual RMD Recertification by March 1

The FCC's January 22, 2026 Public Notice announced the inaugural filing window for annual RMD recertifications, with the first deadline of March 1, 2026. Every provider with a current RMD filing now has to recertify annually that the information in the filing remains accurate, including STIR/SHAKEN status, mitigation plan details, and contact information.

The recertification window opens February 1 each year, and the March 1 deadline is hard. The February 2026 Enforcement Advisory explicitly reminded MVNOs, voice service providers, and intermediate providers that failure to file, update, or recertify can result in fines and removal from the RMD, which leads directly to downstream blocking of the provider's traffic.

This is not a theoretical risk. In August 2025 alone, 185 providers were removed from the RMD for failing to demonstrate adequate compliance practices. Removal is happening at scale, and the operational fallout is immediate: once a provider is delisted, downstream networks are required to stop accepting its traffic.

Important: Build the March 1 recertification into your annual compliance calendar alongside FCC Form 477 and USF Form 499. The filings are public, and any material inaccuracy now risks triggering the new $10,000 base fine.
MSP Takeaway

If your RMD filing has not been touched in the past 12 months, treat that as urgent rather than routine. Verifying accuracy now is far cheaper than absorbing a $10,000 base fine or losing downstream traffic after a recertification miss.


Confirmed: AI-Generated Voices Are Already Regulated Under the TCPA

This is the single most overlooked compliance fact for AI voice agent vendors entering the market in 2026. On February 8, 2024, the FCC issued a Declaratory Ruling confirming that AI technologies generating or simulating human voices fall within the Telephone Consumer Protection Act's prohibition on calls using an artificial or prerecorded voice. That ruling has been in force for over two years. Any AI voice call placed without prior express consent has been a TCPA violation since that date.

What this means in practice is straightforward but easy to miss. AI voice agents that make outbound calls to consumers need prior express consent before calling, unless an emergency or statutory exemption applies. AI-generated calls have to include the same identification and disclosure information required for any artificial-voice call. The TCPA's private right of action means consumers can sue AI voice operators directly, on top of FCC enforcement. And voice cloning specifically falls within the TCPA's reach, regardless of whether the cloned voice belongs to a real person or is fully synthetic.

The FCC followed the 2024 ruling with a Notice of Proposed Rulemaking in August 2024 seeking comment on additional AI-specific disclosure requirements and a formal definition of an AI-generated call. Those final rules are still pending.

Compliance Note: This article is informational and does not constitute legal or regulatory advice. Consult qualified telecom legal counsel for guidance specific to your business.

Confirmed: The April 2026 KYC FNPRM

On April 30, 2026, the FCC adopted a Further Notice of Proposed Rulemaking that proposes to significantly expand and formalize Know Your Customer obligations for originating voice service providers. The item passed 3-0, and the final version posted to the FCC's Daily Digest on May 4, 2026. This is a proposal in the comment period, not a final rule.

The proposed framework would require originating voice service providers to collect, verify, and retain specific customer information before provisioning service: the customer's name, physical address, government-issued identification number, and an alternate phone number. For high-volume customers, the FCC is also seeking comment on requiring corporate formation records, confirmation that a telephone number is active and assigned to the customer, third-party verification of physical address, and evidence of an operational website or storefront.

The FCC has identified specific red flags it wants providers watching for during onboarding: a registered agent, virtual office, or residential address used as a commercial customer's physical address, lack of commercial presence, a suspicious or nonfunctional website, mismatches between a customer's state of incorporation and stated address, and payment using non-traceable cryptocurrency.

  • Extended record retention: a proposed four-year retention requirement after the customer relationship ends
  • Per-call penalties: a proposed $2,500 per-call base forfeiture for KYC violations under 47 CFR § 64.1200(n)(4), with upward adjustment possible under 47 CFR § 1.80
  • Risk-based, differentiated obligations: deeper KYC scrutiny proposed for nomadic VoIP, OTT, prepaid, and app-based services
  • An AI safe harbor: the FCC is asking whether providers using effective AI or automated systems for KYC compliance and bad-actor detection should receive enforcement protection

The proposal would apply to traditional wireline voice carriers, commercial mobile radio service providers, and interconnected VoIP providers. According to coverage from Communications Daily, the final FNPRM added more than a dozen new questions specifically focused on how AI tools should gather and validate information to satisfy KYC obligations.

Timing matters here. Comments are due 30 days after Federal Register publication, with reply comments due at 60 days. A final rule could land in late 2026 or early 2027, though FCC timing is never guaranteed.

MSP Takeaway

The $2,500 per-call penalty structure is the detail that should reshape your risk math. A single deficient KYC process that lets one bad actor place a few hundred illegal calls is no longer an administrative slap. It is a forfeiture that scales directly with call volume.


Confirmed: The May 2026 KYUP FNPRM

At its May 20, 2026 Open Meeting, the FCC advanced a separate but related Further Notice of Proposed Rulemaking on Know Your Upstream Provider obligations. KYUP addresses the accountability gap between the originating provider, which KYC covers, and the rest of the downstream call path.

The basic logic chain looks like this: STIR/SHAKEN authenticates the call. KYC verifies the customer placing the call. KYUP addresses the interconnection layer, where traffic from unvetted or unverified upstream sources can enter the legitimate call path. Under the proposal, a downstream voice service provider would be required to collect general business, financial, internet commercial presence, ownership and affiliate, and operational and service information from the providers whose traffic it carries.

Together, KYC and KYUP are designed to create a chain of identity accountability that runs from the customer to the originating provider to every intermediate provider that touches the call. The May 20 vote initiates the formal public comment process rather than adopting a final rule. From initial proposal to a final Report and Order, FCC rulemaking typically takes 12 to 24 months.

Quick Note: KYUP also touches STIR/SHAKEN attestation standards and oversight of the Certification Authority structure, so providers should not treat it as purely a paperwork exercise separate from their existing caller ID authentication compliance.

Predicted: Where FCC Voice Regulation Is Heading in 2026 and 2027

The following are forecasts based on the trajectory of FCC rulemaking, commissioner statements, and the structure of the proposals currently on the docket. None of these are final rules. Treat them as planning scenarios, not compliance obligations.

Likely within 12 to 18 months. A final KYC rule with the proposed $2,500 per-call penalty structure intact, given the detail already in the FNPRM and the bipartisan tone of the April vote. Mandatory four-year KYC record retention is one of the most clearly articulated proposals and is likely to survive into a final rule with only minor modification. A final AI disclosure rule under the pending TCPA rulemaking is also probable, requiring outbound AI calls to identify themselves as AI-generated before substantive conversation begins. Because KYUP and KYC are explicitly designed to interoperate, a KYC final rule will likely trigger a parallel KYUP final rule within six to twelve months.

Plausible within 18 to 24 months. A formal AI-specific safe harbor for KYC compliance, since the April 2026 FNPRM explicitly asks about one. If adopted, providers that deploy effective AI-based KYC and bad-actor detection would gain enforcement protection for good-faith violations. Tighter intermediate provider obligations around blocking and traceback response timelines are also likely to formalize beyond what KYUP currently proposes. State attorneys general are already active in TCPA enforcement, so expect state-level KYC mirror legislation in states like California, New York, Texas, and Florida over the next two legislative cycles.

Possible within 24 to 36 months. A formal FCC registry specific to AI voice agent vendors, distinct from the general voice service provider registry, if AI voice fraud continues to scale. Mandatory real-time AI disclosure that a consumer can trigger at any point in a call, potentially backed by cryptographic attestation. Joint enforcement frameworks between the FCC, FTC, and CFPB for AI voice scams that cross telecom, advertising, and financial services boundaries.

The common thread running through all of these predictions is that identity, consent, and disclosure are converging into a single regulatory framework. The providers that come out ahead will be the ones with the operational and platform infrastructure to handle that complexity natively, rather than retrofitting it after a final rule lands.


What This Means for Traditional Voice Providers

If you operate a traditional VoIP, hosted PBX, SIP trunking, or wholesale voice business, the operational priorities for the rest of 2026 are clear.

In the next 30 days, verify that your RMD filing is current and accurate. The $10,000 base fine for inaccurate filings is already in effect, and if your filing has not been updated in the past 12 months, treat that as urgent rather than routine.

Over the next 90 days, build the March 1 recertification process into your compliance calendar and review your robocall mitigation plan against current operational reality, not the version you filed two years ago.

Over the next 6 to 12 months, start building the customer identity verification infrastructure the KYC FNPRM will likely require. At minimum, that means collecting name, physical address, government ID number, and alternate phone number at onboarding, with documented verification procedures and retention built for four years.

Strategically, treat compliance as a product feature rather than overhead. Providers that automate KYC, RMD updates, STIR/SHAKEN attestation, and traceback response will win customers away from providers that cannot. The cost of compliance is real, but the cost of non-compliance is now structurally higher.


What This Means for AI Voice Agent Providers

If you operate an AI voice agent product for sales, customer service, scheduling, or any outbound or inbound voice automation, the regulatory exposure is meaningful and the timeline to act is short.

The TCPA already applies to AI-generated voices. This has been true since February 2024. If your AI voice agents make outbound calls without prior express consent, you are operating in a posture of ongoing TCPA exposure right now, and the private right of action means consumer plaintiffs and their attorneys can sue without waiting for FCC enforcement.

The April 2026 KYC FNPRM will reach AI voice providers even though it technically applies to originating voice service providers. Most AI voice products depend on an underlying voice service provider for call origination, which means the KYC obligations flow through that relationship. AI voice vendors will need to demonstrate to their voice service provider partners that their end customers have been verified, or they risk losing access to origination entirely.

The proposed AI safe harbor is a real opportunity rather than just a regulatory burden. If the FCC adopts it, AI voice vendors that build verification and bad-actor detection into their products now will gain a regulatory advantage. Building these capabilities ahead of the final rule positions the product favorably regardless of how the safe harbor question resolves.

Consent management is the binding constraint for most teams. The hardest operational problem in AI voice compliance is proving prior express consent for every contact. Vendors that solve this with documented, auditable consent capture, integrated directly with their dialing or routing logic, will be in a defensible position. Those that do not will accumulate legal exposure with every campaign.

Disclosure requirements are coming. Mandatory AI disclosure on outbound calls is the most likely near-term FCC action in this space. Building disclosure capability into the product now is the lower-cost path compared to retrofitting it after a final rule ships. For the broader telecom compliance picture AI voice resellers need to track, our AI voice agent PSTN compliance for resellers guide covers Form 499-A, BDC voice subscription reporting, and the rest of the obligation stack.

MSP Takeaway

Resellers who build on a voice platform that already handles STIR/SHAKEN attestation, RMD filing, and telecom tax automation are not assembling a regulated service from scratch every time they add an AI voice customer. That operational depth becomes the difference between a scalable AI voice practice and a compliance backlog that grows with every new account.

Providers running on ViiBE get STIR/SHAKEN attestation, telecom tax automation, and quote-to-cash workflows built into the same platform that handles AI voice agent billing, rather than as separate vendor relationships to manage and reconcile. That consolidation matters more as KYC and KYUP obligations stack on top of existing RMD and STIR/SHAKEN requirements.


Compliance Checklist for 2026

RMD compliance: confirm your RMD filing is current and accurate, schedule annual recertification for the window that opens February 1 and closes March 1, update the filing within 10 business days of any material change, and review the mitigation plan against current FCC guidance at least annually.

  • STIR/SHAKEN: confirm attestation level and document the basis, map attestation status to your RMD certification, and maintain documentation of verification practices for A-level attestation
  • KYC preparation: collect customer name, physical address, government ID number, and alternate phone number at onboarding, document verification procedures, and build four-year record retention infrastructure now
  • TCPA and AI compliance: audit all outbound AI voice calls against prior express consent requirements, implement consent capture with a full audit trail, and add AI disclosure language to outbound call openings
  • KYUP preparation: document upstream provider relationships and build verification procedures for upstream traffic acceptance
  • Operational: designate a single compliance owner with authority over RMD, STIR/SHAKEN, KYC, and TCPA, and build the March 1 recertification deadline into your annual compliance calendar

None of this is optional once your business touches real phone numbers and PSTN connectivity. The providers who treat this as a quarterly review instead of a once-a-year scramble are the ones who will avoid the fines that are now structurally higher than they were even a year ago.


RMD Database Compliance and the Robocall Mitigation Roadmap Ahead

The RMD database and robocall mitigation framework in 2026 is no longer a registration-and-forget compliance task. It is a continuous, annually recertified, increasingly aggressive regulatory regime, and the FCC has signaled clearly that KYC and KYUP obligations will formalize and expand over the next 12 to 24 months. AI voice agent providers carry the additional exposure of TCPA application to AI-generated voice calls, a fact that has been true for over two years but is still poorly understood across the AI voice product market.

The providers who navigate this well are the ones who treat compliance as platform infrastructure rather than a series of bolt-on integrations. The cost of a $10,000 RMD fine, removal from the database, or TCPA exposure is meaningfully higher than the cost of building the right capabilities into your operational stack now.

If you are evaluating whether to build this compliance posture yourself or move to a platform that already handles STIR/SHAKEN attestation, telecom tax automation, and AI voice agent billing in one place, Viirtue's white-label partner program is built for MSPs and telecom resellers who want that operational depth without stitching together vendors to get it.

FAQ: RMD database

What is the RMD database?

The Robocall Mitigation Database is the FCC’s public registry where U.S. voice service providers, intermediate providers, gateway providers, and MVNOs certify their STIR/SHAKEN implementation status and the specific robocall mitigation practices they apply on their networks. Downstream providers are prohibited from accepting traffic from voice providers not properly registered in the RMD.

Every voice service provider, intermediate provider, and gateway provider operating in the United States must file in the RMD. The FCC confirmed in a February 2026 Enforcement Advisory that this explicitly includes Mobile Virtual Network Operators (MVNOs).

March 1 of each year, beginning March 1, 2026. The recertification window opens February 1.

The FCC can impose fines (now starting at a $10,000 base for inaccurate filings) and can remove non-compliant providers from the RMD. Removal from the RMD leads to downstream blocking of the provider’s traffic. In August 2025, 185 providers were removed from the RMD for inadequate compliance.

AI-generated voice calls are not illegal per se, but they fall within the TCPA‘s restrictions on “artificial or prerecorded voice” calls. Since February 8, 2024, AI voice calls have required the same prior express written consent as any other artificial-voice call, absent an emergency or statutory exemption.

On April 30, 2026, the FCC adopted a Further Notice of Proposed Rulemaking proposing to require originating voice service providers to collect, retain, and verify customer name, physical address, government-issued ID number, and alternate phone number before provisioning service. The proposal also includes potential per-call penalties, four-year record retention, and an AI safe harbor.

Know Your Upstream Provider (KYUP) is a separate FCC FNPRM introduced on May 20, 2026. It proposes that voice service providers verify and document the providers from whom they accept upstream traffic, complementing the customer-side verification proposed under KYC.

No. STIR/SHAKEN is a specific technical framework for cryptographically signing caller ID information. Robocall mitigation is the broader set of operational practices used to prevent illegal calls from originating on a provider’s network. The RMD requires certification of both.

By treating consent capture, AI disclosure on outbound calls, and customer identity verification as binding product requirements now, rather than waiting for final rules. Building these capabilities early positions the product favorably regardless of the final rule outcome, and may qualify for the proposed AI safe harbor.

Deploy a Fully-Featured Class 5 Softswitch under your own branding

Start Selling VoIP Today

AI Solutions

VoIP & Fax

Viirtue’s free, full-service tool for MSPs.
Free for all Viirtue partners, ViiBE makes quoting and billing seamless, so you can grow your business efficiently while serving your clients better.

FREE eBOOK

The 7 Silent
Profit Killers.

In just 25 minutes, you will spot the leaks, estimate the damage, fix the workflow, and get AI-ready, with downloadable checklists to lock it all in.

Download the FREE ebook and fix what’s costing you time and money before it costs you another week.