Convergence Radar Convergence Engine

← Feed

B

CallerVault β€” KYC & Re-Verification System of Record for Originating Voice Providers

61/100

A hosted KYC vault for VoIP originating providers and wholesale resellers that captures identity verification at onboarding, auto-schedules re-verification at every renewal, escalates high-volume callers into enhanced diligence, and produces a tamper-evident, per-customer evidence file on FCC Enforcement Bureau demand.

Worth deeper research β€” promising but has risk. Β· created 2026-07-10 15:35 UTC

saascompliance monitorsapipublic recordsagentlong-termrevisit later

Scorecard

newness 8/10
convergence 7/10
demand evidence 8/10
existing spend 6/10
solo feasibility 7/10
speed to mvp 7/10
speed to revenue 4/10
distribution 7/10
competitive gap 4/10
expansion 6/10
founder fit 9/10

Penalty flags
no urgent pain (βˆ’3 from raw 64)

Opportunity brief

What changed
FACT (Federal Register, FCC, 2026-05-26): the FCC proposes to expand its Know-Your-Customer requirement for voice service providers, seeking comment on customer identification requirements for new AND renewing customers; requirements for verifying, retaining, and re-verifying customer information; requiring more information from certain customers such as high-volume customers; and β€” the sharp edge β€” proposing to assess penalties for KYC violations ON A PER-CALL BASIS. FACT (Federal Register, FCC, 2026-07-09): a companion proceeding proposes to enhance Know-Your-Upstream-Provider (KYUP) requirements, raise caller-ID attestation standards, and close STIR/SHAKEN implementation gaps. HYPOTHESIS: taken together these two proceedings convert a vague 'know your customer' obligation into a documented, auditable, recurring recordkeeping duty for every originating provider.
Why now
FACT: both items are at the proposed-rule / comment stage as of 2026-07-09 (the KYUP item published 2026-07-09, the KYC item 2026-05-26). This is the pre-rule window β€” the period in which providers, trade groups and compliance vendors are reading the NPRM and modelling cost. HYPOTHESIS: the per-call penalty theory is what changes behaviour. A provider originating millions of calls a month faces a penalty base that scales with traffic, not with the number of violations β€” that is an asymmetric, existential exposure that makes documented KYC evidence cheap insurance at almost any software price. INFERENCE: building during the comment window means shipping the day the rule is adopted, which is the only moment a compliance tool has an unfair sales advantage.
Converging signals
Three signals meet at one point. (1) A rule that compels a defined class to verify, retain and re-verify (FCC KYC NPRM, 2026-05-26). (2) A parallel rule tightening the upstream/authentication side of the same framework (KYUP + STIR/SHAKEN NPRM, 2026-07-09), which raises the diligence standard across the whole call path. (3) An existing registry β€” the Robocall Mitigation Database β€” that already enumerates the filer class and already requires an annual certification the evidence would attach to. FACT: the KYC NPRM text explicitly frames the requirement as complementing the Commission's other call-branding/caller-name efforts. INFERENCE: the RMD is the addressable-market list, published and free.
Customer pain
HYPOTHESIS (not established by the source text): originating providers today keep customer identity records as ad-hoc artefacts β€” a scanned EIN letter in a shared drive, a sales-rep email, a CRM note. There is no re-verification calendar, no defensible chain of custody, and no way to answer an Enforcement Bureau letter of inquiry in days rather than weeks. FACT from the source: the Commission itself describes a 'gap between its current Know Your Customer requirement and the types of rigorous KYC steps necessary,' i.e. the regulator asserts current practice is inadequate. The pain is regulatory exposure with per-call arithmetic behind it, not workflow annoyance.
Who pays
The originating voice service provider β€” specifically the compliance officer or general counsel at VoIP originating providers, wholesale carriers and resellers registered in the FCC's Robocall Mitigation Database. Secondary buyer: the telecom regulatory consultants and law firms who already file RMD certifications on behalf of small carriers and would white-label the vault. INFERENCE: the several-thousand-entity RMD registrant list is the buyer list; the source document states neither a respondent count nor a dollar figure, so any market size here is inference, not fact.
Solved today
INFERENCE (not in the source text): a mix of (a) nothing β€” a credit check and a signed AUP; (b) generic KYC/KYB identity vendors (Persona, Alloy, Middesk) bolted onto an onboarding form with no telecom-specific retention or re-verification logic; (c) robocall-mitigation platforms (TransNexus, Numeracle, Somos, iconectiv) that handle STIR/SHAKEN signing and RMD filings but are not, as far as the source text establishes, KYC evidence vaults; (d) outside telecom counsel assembling a response after an FCC letter of inquiry arrives.
Why current solutions are bad
Generic KYB vendors verify once, at signup, and have no concept of 'renewal,' 'high-volume customer escalation,' or 'produce the file to the Enforcement Bureau.' Ad-hoc drives have no immutability and no audit trail β€” exactly the thing an enforcement response needs. Outside counsel is reactive and expensive. HYPOTHESIS: the unmet need is not identity verification (a commodity API) but the *evidence lifecycle* around it β€” schedule, escalate, retain, attest, produce.
Proposed product
A single-tenant-per-provider KYC vault. Onboarding flow that runs a customer through an identity/business-verification API and stores the raw provider response, not just the verdict. A re-verification calendar that fires at each contract renewal and on rule-defined intervals. A traffic-threshold rule engine that escalates a customer into enhanced-diligence status when call volume crosses a configurable line, with a documented diligence checklist. Write-once, hash-chained retention with per-record timestamps. An 'Enforcement Bureau response' export that assembles a per-customer evidence package as a paginated, indexed PDF plus raw artefacts. Ties to the provider's existing Robocall Mitigation Database certification.
MVP version
Four things and nothing else: (1) customer record + document upload with hash-chained append-only storage; (2) one identity/KYB vendor integration (resold at cost plus a per-verification fee); (3) a re-verification scheduler with email escalation; (4) the evidence-package export. Skip SSO, skip billing integrations, skip a mobile app. Ship as a hosted multi-tenant app with per-tenant encryption.
30-day build
Do not write the product yet. Read both NPRMs end to end and read the public comments as they land on the FCC ECFS docket β€” the comments will name the providers who care and the trade associations (INCOMPAS, USTelecom, Cloud Communications Alliance, the VON Coalition) that speak for them. Pull the full Robocall Mitigation Database registrant list, which is public, and segment it: the large carriers are unreachable, the several-thousand small/mid originating providers and resellers are the market. File a short, substantive comment in the docket yourself β€” it is free, it is public, and it puts your name in front of exactly the compliance officers you want to sell to. Build the hash-chained document store and the customer schema.
60-day build
Integrate one KYB vendor. Build the re-verification calendar and the enhanced-diligence escalation workflow. Build the evidence-package export β€” make it beautiful, because it is the artefact a general counsel hands to a regulator, and it is the whole demo. In parallel, run twenty discovery calls sourced from the RMD list and the comment filers, and ask one question: 'If the Enforcement Bureau sent you a letter of inquiry about customer X tomorrow, how long would it take you to produce their verification file?' The answer to that question is the sales pitch. Recruit three design partners at a discounted annual rate in exchange for a case study.
90-day revenue plan
Convert design partners to paid annual contracts and open general availability positioned as 'be ready the day the rule is adopted.' Realistically, first revenue is design-partner revenue and it lands somewhere between day 90 and day 150 β€” a small originating provider will pay $500–$1,500/month to make a per-call penalty theory go away, but most will not sign until the rule is final or clearly imminent. Sell an annual contract with a 'no adopted rule, no renewal' clause to remove the buyer's main objection. Simultaneously court the regulatory consultancies who file RMD certifications: one consultancy relationship can carry thirty small carriers, and that is the fastest path to volume.
Distribution path
The FCC ECFS docket for both proceedings is a free, public, self-qualifying lead list β€” every commenter has raised their hand as a party that cares about this rule. The Robocall Mitigation Database is a published registrant list with contact information. Beyond that: the telecom trade associations' compliance webinars, the small-carrier consultancies who already do RMD filings, and content marketing aimed at a single search intent ('FCC KYC rule what do I have to do'). No ad spend required. Zero relationship selling required β€” the evidence-package export is the demo, and the demo closes.
Pricing hypothesis
Per-provider SaaS subscription tiered on downstream customer count: roughly $500/month for under 50 customers, $1,500/month for 50–500, $4,000/month above that. Plus a per-verification pass-through fee (identity vendor cost plus a $3–8 margin). Annual prepay preferred. HYPOTHESIS: the price anchor is not competing software, it is the cost of one outside-counsel hour and the tail risk of a per-call penalty β€” which means the ceiling is far above what the software costs to run.
Technical difficulty
Low to moderate, and squarely inside the founder's proven envelope. Hash-chained append-only storage is a solved pattern. The identity verification is someone else's API. The re-verification calendar is a cron and a state machine. The evidence-package export is document generation. Nothing here needs a distributed system, an ML model, or a research bet. The hard part is not the code β€” it is knowing precisely what the rule will require, which is a reading-comprehension problem, not an engineering one.
Legal / regulatory risk
Real but manageable, and of an unusual kind: the product's value depends on a rule that does not yet exist. If the FCC narrows or abandons the KYC expansion, the compliance urgency evaporates and the product reverts to being a nice-to-have vendor-management tool. There is also a positioning hazard β€” never represent the product as guaranteeing compliance, because the provider remains the regulated party and the FCC will hold them, not the vendor, responsible. Compliance here is the moat, not a burden the founder must personally bear: he does not need to become a licensed carrier, register with the FCC, or hold any certification to sell this.
Platform dependency
None that matters. There is no app store, no marketplace reviewer, and no platform owner who can deplatform a tool whose output is a PDF handed to a federal agency. The one real dependency is the identity/KYB vendor, and that is mitigated by designing the verification adapter to be swappable from day one and by storing raw vendor responses rather than normalised verdicts.
Founder fit
Very high, and for a specific structural reason. This is the exact shape of the FMCSA ELDT product he already shipped: read a federal mandate, identify the class that is forced to file, build the layer that produces and submits the required record, charge per transaction or per seat. The differences are that there is no portal to submit to (evidence is produced on demand rather than filed), and that the rule is proposed rather than final. His public-records and systems-thinking strengths map directly onto the ECFS-docket-as-lead-list distribution motion. His weakness β€” no telecom domain credibility, no existing carrier relationships β€” is the one thing that matters here, and it is real.
Breakout potential
Moderate. The natural expansion is adjacent and obvious: the 2026-07-09 KYUP proceeding creates a nearly identical evidence obligation one hop upstream, so the same vault sells twice into the same account. Beyond telecom, the 'regulated party must verify, re-verify, retain, and produce evidence on demand' pattern recurs across money-services businesses, gaming, and crypto β€” but each of those has entrenched, well-capitalised incumbents. The honest ceiling here is a several-thousand-account market at low-four-figures monthly, which is an excellent solo business and not a venture outcome. That is the correct target.
Final recommendation
BUILD β€” but stage it, and do not treat this as a fast-cash play. The founder-fit is genuinely maximal: this is the ELDT shape, a federal mandate compelling a defined class to document and produce, monetised per seat and per transaction, sold without relationship selling. Both the demand signal (per-call penalties against a defined filer class) and the distribution channel (a free, public, self-qualifying docket and registry) are strong and real. But the timing risk is the whole story. The rule is proposed, not adopted; there is no deadline; and the buyer's rational move is to wait. Two things must be true before writing production code. First, the founder should file a substantive comment in the docket and use the responses as his first twenty discovery conversations β€” that costs nothing and tells him whether providers feel this as urgency or as noise. Second, he should confirm from the comment record whether the incumbent robocall-mitigation vendors are already announcing KYC modules; if they are, the wedge is gone and this dies. If those two checks pass, build the evidence vault, sell design partners on rule-contingent annual contracts, and be the only product that exists on the day the rule is adopted. Expect first meaningful revenue at 120–180 days, not 30. That is acceptable given the founder now has capital and runway, and the lesson at 0.90 confidence says to judge on sellability rather than 30-day cash. Downgrade to KILL immediately if the FCC narrows the KYC item, or if TransNexus or Numeracle ships a KYC vault first.
Next action
Open the FCC ECFS docket for the Enhancing Know-Your-Customer proceeding (Federal Register 2026-10407, published 2026-05-26) and read every comment filed to date. Extract two lists: the providers who commented (your first twenty discovery calls) and any compliance vendor who commented (your competitive threat set). If no incumbent vendor has claimed the KYC-evidence space in the record, file your own substantive comment under your own name and start booking calls that same week.

Kill arguments (adversarial)

Competitors

β€’ TransNexus (link) β€” INFERENCE, not established by the source text: sells STIR/SHAKEN signing and robocall-mitigation software to exactly this buyer class. Holds the compliance budget and the RMD-filing relationship. A KYC evidence module is a natural bolt-on for them and the single largest threat to this idea.
β€’ Numeracle (link) β€” INFERENCE: operates in caller-identity and entity-vetting for voice traffic β€” arguably already doing a form of KYC on callers. Closest adjacent incumbent; verify whether their existing entity-vetting product already satisfies the proposed rule before writing any code.
β€’ iconectiv (link) β€” INFERENCE: administers the STI-PA / Policy Administrator role in the STIR/SHAKEN ecosystem referenced by the 2026-07-09 KYUP proceeding. Deeply embedded infrastructure incumbent; unlikely to sell a small-carrier SaaS vault, but sets the standards the product must conform to.
β€’ Persona / Alloy / Middesk (link) β€” INFERENCE: commodity KYB/identity-verification APIs. Not competitors so much as the substrate β€” but a buyer could call them directly and skip the vault, which is precisely why the defensibility must live in the retention, re-verification calendar, and enforcement-response export rather than in the verification itself.
β€’ Telecom regulatory consultancies (e.g. firms filing RMD certifications for small carriers) (link) β€” INFERENCE: currently the default 'solution' β€” outside counsel and consultants assembling records reactively. These are simultaneously the competition and the best white-label distribution channel; one consultancy relationship can carry dozens of small carriers.

Source citations (facts)

β€’ [Proposed Rule] Enhancing Know-Your-Customer Requirements β€” Federal Communications Commission β€” FACT: The FCC proposes to fill 'the gap between its current Know Your Customer (KYC) requirement and the types of rigorous KYC steps necessary to protect consumers,' seeking comment on customer identification requirements for new and renewing customers; requirements for verifying, retaining, and re-verifying customer information; requiring more information from certain customers such as high-volume customers; and proposing to assess penalties for violations of the KYC requirement ON A PER CALL BASIS. This is the forced-buyer mandate and the source of the per-call penalty exposure that underwrites willingness to pay. It is a PROPOSED rule at comment stage β€” the document states no effective date ('EFFECTIVE: n/a') and no docket deadline, which is the central risk to speed_to_revenue.
β€’ [Proposed Rule] Enhancing Know-Your-Upstream-Provider Requirements and Strengthening STIR/SHAKEN (Call Authentication Trust Anchor; Advanced Methods To Target and Eliminate Unlawful Robocalls) β€” Federal Communications Commission β€” FACT: The FCC proposes to strengthen its robocall mitigation framework by enhancing Know-Your-Upstream-Provider (KYUP) requirements, improving oversight of voice service providers by the STIR/SHAKEN Governance Authority, raising caller ID attestation standards, and closing STIR/SHAKEN implementation gaps. Published 2026-07-09, i.e. one day before this analysis. This is the convergent second signal: it extends the same diligence-and-evidence duty one hop upstream, doubling the surface the same vault can sell into, and confirms the Commission is tightening the whole framework rather than making a one-off change.
β€’ [Proposed Rule] Enhancing Know-Your-Customer Requirements β€” filer class and complementary rules β€” FACT: The Commission states these KYC efforts 'can complement call branding and caller name requirements the Commission may adopt,' and frames the aim as making it 'more difficult for scammers to originate illegal calls' β€” establishing that the obligated class is originating voice service providers, which is the buyer list. HYPOTHESIS (not in the document): that class numbers in the several thousands and maps to the Robocall Mitigation Database registrant list. The document states NO respondent count, NO dollar figure, and NO Paperwork Reduction Act burden estimate β€” every market-size number in this brief is inference.

Actions