What changed
FACT (Federal Register, 2026-07-09): the FCC issued a proposed rule to enhance Know-Your-Upstream-Provider (KYUP) requirements, expand STIR/SHAKEN Governance Authority vetting/enforcement, codify attestation levels, and define improper attestations. Simultaneously (FACT, Google/DeepMind blogs): provider-hosted long-running agents with remote MCP (Gemini API) and computer-use in a cheap Flash-tier model make continuous browser-based verification loops economically viable for a solo builder.
Why now
The rule was published yesterday β the comment window is open and no tooling exists that is purpose-built for the proposed KYUP obligations. HYPOTHESIS: providers and their compliance consultants will start preparing during the comment/adoption window because RMD removal (the enforcement stick in this framework) is effectively a death penalty β downstream carriers must block traffic from delisted providers. Building now means being the named tool when the rule finalizes. Risk: this is a PROPOSED rule (NPRM), not adopted β final obligations, scope, and deadlines are unknown and could be 6-18 months out or materially changed.
Converging signals
(1) Regulation: FCC KYUP NPRM creating information-collection, verification, monitoring, and compliance-review duties for voice providers [federalregister.gov]. (2) Capability: managed background agents + remote MCP hosted in the Gemini API removes agent-loop plumbing [blog.google]. (3) Capability: computer use in Gemini 3.5 Flash makes recurring browser verification against the RMD and state SOS/PUC records cheap [deepmind.google].
Customer pain
HYPOTHESIS (grounded in the rule text summary): every voice service provider β including thousands of small VoIP resellers, gateway and intermediate providers β would have to collect upstream-provider information, verify it, monitor attestation behavior, and document periodic compliance reviews. Small providers have no compliance staff; today this class already struggles with RMD filings and robocall mitigation plans and faces FCC enforcement letters. The pain is 'produce a defensible paper trail or get blocked from the US phone network.'
Who pays
Primary: small/mid US voice service providers, intermediate providers, and gateway providers listed in the Robocall Mitigation Database (the RMD itself is a public, downloadable list of every obligated entity β a complete lead list). Secondary: telecom compliance consultancies and telecom law firms (e.g., CommLaw Group-style practices) who would white-label the tool across dozens of client providers. HYPOTHESIS: these firms already charge providers monthly retainers for FCC compliance, proving budget exists in the channel.
Solved today
HYPOTHESIS: manually β spreadsheets of upstream carriers, one-time onboarding questionnaires, occasional RMD lookups by a consultant or paralegal; larger providers use robocall-mitigation platform vendors (TransNexus, Numeracle) whose focus is call analytics and STIR/SHAKEN signing, not vendor due-diligence file assembly.
Why current solutions are bad
Manual vetting is point-in-time, but the NPRM contemplates ongoing monitoring and periodic compliance reviews β a spreadsheet from onboarding day proves nothing at audit time. Incumbent platforms sell signing/analytics infrastructure, not an audit-ready KYUP evidence file. Consultants doing this by hand are expensive and don't scale to continuous monitoring.
Proposed product
A managed compliance agent: provider enters its upstream carriers; the agent (a) pulls and archives each upstream's RMD record and state registration via browser automation, (b) re-checks on a schedule and diffs for status changes/delistings, (c) tracks attestation-level behavior where data is available, (d) generates a timestamped, audit-ready KYUP compliance-review report each quarter, and (e) alerts instantly if an upstream is removed from the RMD or flagged. Long-running managed agents (Gemini background tasks + MCP) handle the monitoring loop without custom orchestration infrastructure.
MVP version
A single-tenant web app: input list of upstream providers β automated RMD lookup + archive + state-record check β one generated PDF 'Upstream Provider Compliance Review' with evidence screenshots and timestamps, plus email alerts on RMD status changes. No integrations with carrier switches required. 4-6 weeks of solo AI-assisted build; RMD data is public.
30-day build
Read the full NPRM and file/monitor the docket; extract the exact proposed obligations into a checklist (this checklist is also content marketing). Scrape the RMD to build the prospect database. Build the RMD-verification + report-generation core. Interview 5-10 small VoIP operators and 2-3 telecom compliance consultants (reachable via LinkedIn, ClueCon/telecom forums) to validate what an 'audit-ready' file must contain.
60-day build
Ship MVP. Sell it TODAY against existing obligations β HYPOTHESIS to verify in week 1: providers already have RMD filing and robocall-mitigation-plan duties in force, so 'continuous RMD monitoring of your upstreams + evidence file' has standalone value before the NPRM finalizes. Offer 10 founding customers a discounted annual rate. Pitch 3 consultancies on white-label.
90-day revenue plan
Target 10-20 providers at $149-$399/mo (or consultancy white-label at $99/provider/mo across their book). Outbound email to RMD-listed providers referencing the open FCC docket is the wedge ('here is what the FCC is proposing you'll have to document β here's your current upstream risk report, free'). Free personalized risk report as the demonstrated-value hook fits this founder's sales style.
Distribution path
The RMD is a self-updating, public list of every buyer with legal names β pure outbound. Plus: telecom compliance consultancies as channel partners, FCC docket commenters as warm leads, and SEO on 'KYUP requirements' (near-zero competition on a term coined by a day-old rule).
Pricing hypothesis
$149-$399/mo per provider depending on upstream count; $1,500-$3,000/yr prepaid annual; white-label tier for consultancies. Per-monitored-upstream pricing mirrors the founder's proven per-transaction model.
Technical difficulty
Low-moderate: public-database scraping/monitoring, diffing, PDF report generation, scheduled agents. The founder has shipped exactly this shape (government portal automation, FMCSA ELDT). Hardest part is domain accuracy β the report must map to the rule's actual language, which a telecom-attorney review (~$2-5k, affordable now) de-risks.
Legal / regulatory risk
Low-moderate: the product documents compliance, it does not practice law β but reports must avoid 'legal advice' framing (disclaimer + attorney-reviewed templates). Scraping the RMD (public FCC data) is low-risk. Main risk is regulatory: the NPRM could be adopted with different requirements or not at all β mitigated by selling standalone monitoring value against current obligations.
Platform dependency
Low: FCC public data + generic browser automation. Gemini managed agents are a convenience, not a dependency β the loop could run on any model or plain Playwright.
Founder fit
VERY HIGH pattern match with one caveat. This is the proven shape β a federal mandate compels a class of entities to collect/verify/document, and a solo operator builds the automation layer and charges recurring fees (matches the stored heuristic, confidence 0.80, scoring founder-fit 8-9 for portal-mandate plays). Caveat: unlike ELDT, there is no per-submission portal event to meter; it's monitoring/documentation, so revenue is subscription rather than per-filing. Systems thinking, public-records automation, and demonstrated-value selling all apply directly.
Breakout potential
Moderate-high: expand from KYUP into the full small-carrier FCC compliance stack (RMD filing updates, 499 filings, STIR/SHAKEN attestation audits, state PUC registrations) β a 'compliance department in a box' for the ~10k small entities in the RMD, each worth $2-10k/yr.
Final recommendation
PURSUE as a paced bet, not a sprint: spend β€2 weeks validating that (a) currently-in-force KYU/RMD obligations support standalone sales before final adoption, and (b) 3+ small providers or 1 consultancy will pre-commit at $149+/mo. If yes, build the 6-week MVP and work the RMD lead list while tracking the docket; the day the rule is adopted, this becomes a forced-buyer land-grab where being first-named matters. If validation fails, tag 'revisit later' with a docket-watch trigger.
Next action
Read the full NPRM text and comment deadline on federalregister.gov; download the current Robocall Mitigation Database; send 10 validation emails to small RMD-listed providers offering a free 'upstream provider risk snapshot.'