Article

Regulation around A2P messaging and best practices

Our Chief Strategy Officer, Simeon Coney, recently spoke with James Williams, Director of Programme at Mobile Ecosystem Forum, at the MEF Business Connects Hybrid Event. They delved into the topic of A2P Messaging Regulations, exploring the good, the bad and the ugly of regulatory actions we have seen so far in the industry.

The purpose of the session was to consider the impact of regulation on Business Messaging. This blog will cover some of the main discussion points and take-aways from the session. There is a video available on demand here.

What is Enea AdaptiveMobile Security’s role in A2P messaging?

Our mission has always been to deliver strong protection and control solutions for the messaging market. It’s more important than ever, as we see an increase in A2P business communications, and at Enea we make the whole experience of being digitally connected on your device, more secure.

We have been working with mobile network operators, aggregators and CPaaS providers for the past 18 years to secure subscribers by identifying and blocking bad SMS traffic. As we see the use of SMS increasingly moving from P2P (person-to-person) to B2B (business-to-business) communications, there are complex challenges for the mobile industry to protect the SMS communication.

It is no longer just about simply preventing spam; we need to address unwanted communications, look at more complex content classification, enablement of subscribers to express preferences as well as detecting sending behaviors and engagements that are polluting the SMS channel and damaging the end users.

What SMS threats do we see?

Enea AdaptiveMobile Security protects almost a quarter of the worlds’ population with our Messaging Protection, covering Anti-Spam, A2P Grey Route protection, and A2P Commercial Traffic Management. From our global intelligence, we see a broad spectrum of SMS behaviours triggering in our solutions such as well-intentioned but poor sending practices, regulatory & contract violations, to very intentional malicious attacks looking to defraud consumers or enterprises.

What role is regulation playing in A2P SMS messaging?

There have been many changes in the A2P SMS market in recent times, and we want to focus on the regulation and industry awareness of best practices. When regulation meets industry there is often a lag in time and gaps in knowledge. We want to explore how we can improve best practices and operations for the entire ecosystem. Regulation provides great safeguards for citizens and well-crafted regulations facilitate this.

What are some of the threats to the A2P SMS Market Place?

Generally, the industry agrees that there has been an increase in the number of threats and attacks using SMS to defraud consumers. We have a global view of over 50 billion threat events daily and at present we see two areas of threats to the A2P Market Place that organizations should be planning mitigation for: security threats and consumer fatigue.

Security threats

These threats are often event or issue based. We’ve observed that any crisis, newsworthy item or system weakness will be used by attackers as a bait to con subscribers. The Covid-19 pandemic is a strong example of this type of behavior. We covered this in our blog, explaining how attackers used the global pandemic to trick subscribers using fear. “Never let a good crisis go to waste” is the criminal’s motto, and they will seek to benefit from others’ misfortune. There was a strong industry reaction to this particular Covid-19 themed malicious traffic, with MEF initiating an SMS Sender ID registry in Ireland.

Consumer fatigue

A major threat to A2P SMS is consumer fatigue due to poor quality messages in their inbox – both spam / phishing (especially from trusted sender identities ), and legitimate A2P messages but sent from unknown sending identities (caused by Grey Routes). This leads to the real possibility of consumers not reading and engaging with business messaging over SMS.

What are some of the challenges facing A2P SMS senders?

Complex traffic analysis and regulatory rules

It’s not just processing traffic for spam, and grey route controls that Firewalls need to perform. There are growing regulatory rules that compliance needs to be assured. This analysis requires far greater insights than simple spoof / faking checks, keyword / regular expression analysis.

Increase of Customer Complaints and pollution of SMS channel

These challenges are not restricted to any one geography. We are seeing regulators responding to customers and market changes across the globe. As A2P SMS traffic grows, it is only logical that it gets more attention by customers and regulators as there will inevitably be an increase in customer complaints in line with growth in traffic volumes.

Supporting consumers across a broad range of industries

In recent years the mobile industry has become one of the most interconnected industries. There is a growing dependency on mobile devices for so many other industries, meaning we now have the added complexity of not only adhering to our own regulation but also to other industry regulations. A good example of this is the impact SMS phishing has on the banking industry. We are starting to see financial regulation imposing on mobile regulations.

What are some of the biggest challenges for regulators?

Speed of Response

The regulators face some big challenges in combatting bad sending behaviors. Firstly, how can they get appropriate and timely information to make decisions? They are often responding to issues after the fact. Unfortunately, regulation will always lag the market and the issues faced there.

Reality of the Practical Operations of the Messaging Industry

When regulatory bodies are making recommendations, industry groups such as the MEF community are in a good position to review the practical impact. Caution must be exercised around statements made in the absence of an awareness of operational practicalities.

For example, there have been sweeping statements regarding SMS security issues such as ‘SMS should never be used for sending 2FA (Two-Factor-Authentication)’.

While there are other technical solutions out there for 2FA, many of them only work for a minority of users. Some don’t have smartphones, data connections or biometric-enabled devices. Unlike a lot of these solutions, SMS is ubiquitous and works for all users, so we cannot dismiss it’s use in this regard. This type of industry knowledge and data is required to help guide the direction of regulation.

When does mobile industry regulation fail?

We see a broad spectrum of regulation and regulatory inconsistencies. From light touch regulation, where regulators are trying to facilitate an effective eco-system, to very strict, well-intentioned but poorly executed regulation.

Often, tightly defined rules do not work. Unfortunately, prescriptively defined rules offer bad senders a clear boundary to work around. An example of this is regulation where there is a sending limit per customer for SMS. If a country regulates that it is permissible to send up to 100 messages per sending party identity, and that the messages in that range are all considered personal communications, gangs can programmatically send messages according to these limits to avoid detection thresholds. Whilst this is a well-intentioned rule from regulators, it is absolutely ineffective.

The chart below illustrates an example of a gang using a detection threshold to its advantage, with the horizontal axis representing the number of messages sent per unique sender, and the vertical representing the volume of messages sent per day. We can see a large number of users (members of a gang) each sending just under the threshold of 100 messages per day, meaning they won’t be detected.

Chart showing the number of messages sent per sender, per day

Number of Messages sent per unique sender, per day.

What are the options if you don’t have strictly defined sending limits?

The reason for regulation imposing sending limits is that counting is easy. However, instead of just counting, the content or the intent of SMS communications needs to be analyzed. As an industry body, MEF has the global data to support and help regulators to learn.

Content-related behavioral analysis of SMS is hard

Deep data analysis of SMS may not be as easy as counting, but with leaps in technology it is possible. There are many practical challenges, for instance, certain content, such as gambling, pornographic, religious and political content, may be prohibited per geography. Who defines what constitutes that ‘type’ of content? Ambiguity in regulation can create far greater problems than the original intent of the regulation itself.

We need to consider not just classification of content but rules on when content can be sent. Who wants to be disturbed by promotional text messages in the middle of the night? It requires the sending parties to be aware of the type of message being sent – the liability rests with the last party carrying the message, so aggregators will be held responsible.

How can aggregators establish what sending is right or wrong?

How can an aggregator determine whether a midnight text message is a 2FA password reset that a customer desperately requires, or an unwanted and ill-timed marketing message? The industry needs more advanced approaches to data analysis, it’s clear that this is not just about counting.

Complexity of Controlling A2P SMS

Regulators in different countries have taken different approaches to controlling A2P SMS. In Brazil and France, for example, marketing and transactional content is separated into what content can and cannot be sent and at what time. As a global facilitator of A2P message sending, you have to be an expert on this across all geographies.

Another challenge is stopping the spread of misinformation via SMS. If regulation stops the spread of information that is misleading, the mobile industry suffers the same as social media has – who determines whether information is accurate or not? Taking the Covid-19 pandemic as an example, which involves medical advice being shared on social media. Who decides what legitimate information versus what misinformation is? There needs to be clear boundaries between what we can provide, and areas where we have no expertise and need to resolve these problems with broader industry initiatives.

What is best practice?

There are several best practice guidelines that have been shared by industry bodies around the globe, including CTIA in the US, and MEF. Thankfully, there is consistency across broad categories on these documents and it’s great to see a strong focus on consent and control, enabling end users to opt out of communications. Also, having consistent definitions of the ‘bad activities’ in SMS, and an industry wide understanding of the terminology is very useful for promoting best practices.

How to support regulators and who enforces the regulation?

Regulation is a document – these are effectively the rules of the road, and supervision ensures compliance. It is important that we not only set out the rules but that they are monitored and that actions are taken to enforce them when they are broken.

Regulators main data feed is consumer complaints, and these complaints need to be put into context. There is a difference between 5 customer complaints from an SMS campaign sent to 500 users, and 5 complaints on an SMS campaign sent to 50,000 customers. Were the complaining customers not aware that they gave consent, or did they find the campaign offensive? The industry needs to better support regulators to contextually analyze complaints and ensure regulation is being adhered to through effective supervision.

STIR/SHAKEN Regulation

This regulation had seismic effects on North America, and we are now approaching a year into implementing STIR/SHAKEN. STIR/SHAKEN involves the certification and identification of a caller. The catalyst for implementation of this regulation was the Robocall problem faced by US consumers, who were inundated with these unwanted calls. Prior to the implementation of STIR/SHAKEN regulation, operators across North America were seeing a cumulative 5 billion robocalls a month, a number which has since reduced.

However, spammers have now started to adopt authentication to overcome this security mechanism. Bad actors don’t stop what they are doing just because there is a simple check. They embrace and adopt it, and it gives them ‘legitimacy’. Bad actors are now using this to their own ends. Robocalls are still an issue for US operators and subscribers – In May 2022, US subscribers received just under 4 billion robocalls. The YouMail’s Robocall Index below charts the number of robocalls detected in the U.S per month since STIR/SHAKEN was implemented, and we can see from the red trend line that there has been little change in their volume.

YouMail’s Robocall Index:

Graph YouMail's Robocall index

Sadly, as a security mechanism, it appears that STIR/SHAKEN has not had the effect the industry was hoping for.

What is the impact of poor supervision?

In the case of Robocalls, there was action by the FCC, DoJ and FTC. They levied a fine of 3.3 million U.S dollars against a robocall scammer. In the end, the penalty was suspended, and the perpetrator wasn’t even banned from running a Telco service. Get the full story on that particular case here. It just goes to show that regulation that does follow through with supervision and enforcement really is pointless!

Regulation: Why all stick and no carrot?

Finally, I have often wondered why regulation is mostly focused on the stick and punishment of bad sending behaviors. I have spoken on this topic before and really believe that there are so many opportunities to reward good sending behavior. By showing the advantages of compliance, we can limit bad sending and reward good sending. It will require data-driven changes to the whole industry environment, a change not to be underestimated, but that I believe will be to our benefit as industry members.

Learn more about how we are enabling commercial, product and compliance owners to make data driven decisions to rate, detect & grow A2P SMS Revenues.