To use phone numbers compliantly in many countries of the world, both Twilio and our customers must adhere to the local country regulations. Doing so often means that we must provide adequate identity documentation to the local regulator or carrier. If they don’t provide this information, there is a high risk the local regulators or carriers will disconnect the phone number.
This list of Frequently Asked Questions (FAQ) will provide more details about regulations, what you need to do to stay compliant, and why.
- General Phone Number Regulatory FAQ
- Privacy and Safety FAQ
- Phone Number Use Case FAQ
- Prefix Locality Matching FAQ
- Phone Numbers Console Regulatory FAQ
- Regulatory Compliance Communications FAQ
- V2 RC Platform FAQ
- IncomingPhoneNumbers API FAQ
A: Many countries around the world have recently been increasing their scrutiny of how their phone numbers are used. This increased scrutiny is driven by various factors, including increased incidents of misuse and abuse of phone numbers, heightened national security concerns, and increased pressure on the supply of numbers.
As a result, various countries are updating their regulations or placing greater emphasis on the enforcement of existing regulations, including those requiring validation of who is actually using the phone number and exactly where that individual or business is located. In short, the intent of these regulations is to verify who is using the number and where they are.
Twilio, our customers, end users, and providers each have a role and a collective obligation to ensure numbers are assigned and used in a manner consistent with the intent of the regulations in the relevant country.
Q: Is this enforcement only impacting Twilio customers? Is it because there’s spam and abuse on your platform?
A: No. Twilio does not permit spam or abuse on our platform. Regulatory requirements are due to worldwide enforcement of existing and new regulations as nations seek to have better control over their national communications infrastructures. All communications companies, including Twilio, are subject to these regulations, and providers and end customers ignore such requirements at their peril. End-user phone numbers that do not comply are at risk of being disconnected due to national regulatory action without notice regardless of provider, a gamble to which Twilio does not subject its customers or itself.
Q: Other providers do not require address and identity information for my phone numbers. Why does Twilio?
A: Many countries around the world have recently been increasing their scrutiny of how their phone numbers are used. We strongly believe all providers are being asked—or soon will be asked—to provide the same information Twilio requires. In every country, the regulations apply equally to all phone number providers. Twilio is in no way being singled out.
A: To help you comply with these regulations and minimize the risk of disruption to your phone numbers, Twilio maintains an up-to-date country-by-country guide of phone number regulatory requirements. We urge our customers to provide the necessary information for each country to help ensure their service isn’t interrupted or disconnected.
To understand these regulations, it’s helpful to keep in mind the objective: Regulators want to know who is using the phone number and where they are located. It is therefore understandable that the regulations focus on the end user, the party actually using the phone number in question to make or receive calls. It also makes sense that regulators want the end user’s name, address, proof of address, and/or an identity document, and that all the documents must match. For example, the name on a utility bill submitted as proof of address must exactly match the name on the submitted passport. In some instances, a local address is required, as indicated by country.
Q: I’ve been told to “map” my phone numbers to addresses and identity documents. What does this mean, and how do I do it?
A: Phone numbers with regulatory requirements need to have certain information or documents associated with them, which is what we call “mapping”. It lets us know which phone numbers go with which addresses and identity documents. You can find instructions on how to map a phone number to an address and document here.
A: Yes, we require the date of any business registration to be in line with country requirements. If there is a country requirement that a piece of documentation be valid within a certain timeframe, it will be listed on the country requirement page. If there is no country requirement, we prefer documentation to be dated within one year of submission, so we have the most up-to-date information for your company on file. Please check your country registry to obtain the most up to date documentation available to you and if you are unable to acquire documentation please send an email to firstname.lastname@example.org. We prefer any information that is being used to confirm an address and is not a government-issued ID — such as utility bills, rent receipts, etc. — to be dated within three months of submission.
Q: Can I reuse documents I’ve uploaded in the Console for previous Regulatory Bundles or do I need to upload them again?
A: Yes, you can utilize identity and supporting documentation that you’ve already uploaded to create a new Regulatory Bundle. While creating a Regulatory Bundle, look for the option to Select existing individual/business information. Eligible options will be presented in a table: choose the desired option and click Select & Save. The same is true for the supporting documentation. When adding supporting documentation, you can click the Select existing supporting document option, and choose the desired document from the table. Only documents that meet the regulatory requirements will be presented.
If your supporting documentation is older than one year, new documentation will need to be uploaded.
A: You can delete Regulatory Bundles in Draft state. Deleting a draft Regulatory Bundle will unassign any Supporting Documents and End-Users you have assigned to the draft Regulatory Bundle, but these objects will not be deleted.
A: We do our best to verify documents submitted within 24 business hours.
A: We are investing heavily in automated systems to make compliance easier. We have brought a number of these systems online already and you’ll see many improvements in the coming months that will make the process easier and faster. These systems will include intelligently determining and presenting regulatory requirements for each number-set up front, a new user experience, and improved APIs to help guide you through the processes required.
A: Twilio takes privacy very seriously. Twilio must collect the data requested and we have legitimate interests for doing so, including regulatory obligations and fraud and abuse prevention. Accordingly, the collection of this data is lawful under privacy law. Although we must collect the data, we remain conscious that the data being collected is sensitive and we must treat it accordingly. The data is subject to the requirements of our Binding Corporate Rules - Controller Policy, which provides for application of a GDPR-level of data protection regardless of where the data originates globally. And pursuant to our internal data protection risk impact assessment, the data is subject to more stringent handling requirements commensurate to the sensitivity level. Among other things, these requirements include limiting access to the data to only those staff members who must see it to perform their job functions, conducting privacy and security training with these staff members prior to permitting them to handle the data, and ensuring all data is stored securely.
A: Our requirements are a synthesis of multiple sources and therefore generally cannot be found verbatim in the local regulations. The sources we use are primarily the text of the regulations, direct conversations with regulators, the judgment and interpretation of Twilio’s legal counsel, industry best practices, the standards of telephone carriers, and our experience in handling requests by government and law enforcement agencies.
Q: I need to retain my phone number in a country but do not meet the requirements. What should I do?
A: If you cannot meet the requirements for a specific phone number type in a given country, we recommend you look at a different number type for that country. Countries often have multiple phone number types (for example, national vs. local), and different phone number types are set up for different uses and have different requirements. It may be that you are using a current phone number type that isn’t appropriate for your situation; for example, local numbers are often meant for people with physical addresses in a specific region of a country. However, there is often another number type in the same country that is well suited to your situation. If that approach doesn’t work, then you may have to use a phone number in another country where you meet the requirements. Please email your account rep or email@example.com for assistance, if you cannot find a solution.
Q: I need to retain my current phone numbers in a country where I don’t meet the regulatory requirements for any of the phone number types. I’ve tried everything you’ve outlined and there is no acceptable alternative. What do I do? What is Twilio doing to help me?
A: We recognize that this is an exceedingly difficult situation for our customers. We want to assure you that we’ll allow you to use your current phone numbers for as long as we reasonably can. We will only disconnect your phone numbers if there is no other legal option available.
We are also committed to helping you find a solution in the following ways:
- We are actively working to enable new number types in some countries.
- As the opportunities arise, we will advocate for changes to these regulations. We fundamentally believe that every country should offer a phone number type accessible to any international business that provides valuable services to the citizens of that country. We are, however, realistic about timelines. We recognize that the passage of new regulations may take time, and as a result, this approach is likely a longer-term solution.
- We are working on possible solutions that would make it easier for customers to comply with current regulations. For example, there are sometimes relatively inexpensive ways for you to set up a legal entity and/or a presence in a country. We are investigating where we can provide lightweight solutions to meet the requirements.
A: Yes, by utilizing the v2 Regulatory Compliance APIs, you can build your own web portal for your customers to self-service manage their Regulatory Compliance.
Q: Our legal/authorized representative does not wish to provide a copy of their ID, which is required for the phone number type I am trying to provision. What options do I have?
A: Your options vary by country. The first thing you should do is reference Twilio’s Regulatory Guidelines to determine whether an alternative exists. For example, in France, if you do not wish to provide a copy of the proof of identity of the authorized representative of your company, you can execute a Power of Attorney signed by the authorized representative, and submit the identity of the individual who is identified on the Power of Attorney.
If you review the Regulatory Guidelines and still have questions about identity documents, you can contact your account representative, or email firstname.lastname@example.org for additional information.
Q: Can I set up a trial account with trial phone numbers that require regulatory information/documents even though I cannot provide any regulatory documentation?
A: No, you cannot. Regulators and carriers expect phone numbers to be compliant from the time they begin to be in use. However, you should be able to select a phone number type in a country where you can meet the necessary regulatory requirements. If you are unable to determine what type of number this may be, you should contact your account representative or email@example.com for more information.
A: Twilio takes its responsibility to safeguard your sensitive personal data very seriously. Accordingly, Twilio applies technical controls such as encryption, access logging and least privileged access when processing this data. In addition to technical controls, our staff undergoes training on the proper handling of this data. Twilio is committed to applying the highest standards of protection for personal data and accordingly has implemented Binding Corporate Rules. In addition, Twilio is ISO 27001 certified.
A: We recognize that certain phone number use cases in certain countries will require emergency services support for the provisioned phone numbers. Please contact us at firstname.lastname@example.org prior to purchase if you need more information.
A: You should start by identifying the country where you want to provision the phone number. Then, you should review that country’s Regulatory Compliance requirements and determine what numbers you are eligible to provision, based on your location and the documentation you have available to you. You can also review the SMS and Voice guidelines, which have additional information about usage. Additionally, you can contact your assigned account representative, who may be able to further assist you. Finally, you can take a short training we developed to learn more about international regulatory compliance.
Q: Is there anything about how phone numbers are used in the country I want to provision a number that I need to know?
A: Yes. Every country treats phone numbers differently, and in some cases a country has restrictions around how certain number types can be used. You can view country-specific considerations here, but this list may not be comprehensive. We strongly encourage our customers to review proposed use cases with qualified legal counsel to make sure that they comply with applicable laws. The following are some general best practices for SMS messaging, but you should seek counsel regarding your specific use case:
- Get opt-in consent from each end user before sending any communication to them, in particular for marketing or other non-essential communications.
- Only communicate during an end user's daytime hours unless it is urgent.
- SMS campaigns should support HELP/STOP messages, and similar messages, in the end user's local language.
- Do not contact end users on do-not-call or do-not-disturb registries.
A: In some countries, regulators require that local and/or national numbers be affiliated with an address associated within the locality of the phone number’s prefix. This goes back to the early days of telephony, when phone numbers were assigned specifically to an individual’s home or business, and would change if the home or business location moved. While this is not the way that phone numbers typically work these days, we nonetheless must respect each jurisdiction’s right to protect their local number blocks, and comply with these regulations.
A: The Phone Numbers Regulatory Compliance Report displays all your regulated phone numbers, the overall compliance status, and a quick link to individually map each phone number.
Find the Compliance Report section under Regulatory Compliance in the Twilio Console. To start, use the provided filter to find the country and phone number type of interest to you. When you have made the desired selection, please click the Search button. You will see a list of Phone Numbers with their current compliance status: Compliant, Not Compliant, and Pending Review: Provisionally Approved.
For each number in this list, you can review the current compliance status and when needed, Map to Regulatory Bundle and Address following the provided link under the verification column.
You can learn more in the Console: Regulatory Compliance Report Getting Started.
A: In most cases, for one of two reasons:
- There are phone numbers in your account that do not have appropriate identity information mapped to them.
- We have received notification from a regulator or carrier of new regulatory requirements, and need to collect additional information from you.
Currently, the bulk of our regulatory compliance emails relate to 1. These are not new requirements, indeed, we have been informing our customers of these requirements for more than a year. To avoid receiving these emails from us going forward, please verify that all numbers in countries with regulatory requirements posted have valid identity information mapped to them, and have been marked as “compliant”. You can check the status of your numbers by accessing your Compliance Report.
In the event of new regulatory or carrier requirements (2), we strive to give you the tools necessary to comply. To that end, you should expect that all communications from us regarding changes to regulations will clearly state:
- What phone numbers are at-risk.
- What the change requires.
- How to provide the necessary information.
- A clear deadline to come to compliance.
In some instances, you may also receive outreach from our Customer Support team and/or your account representative in order to further assist you in bringing your numbers into compliance.
Q: I received an email regarding compliance. Can you let me know what phone number and what document(s) I am missing?
A: Yes. We are here to help. To determine which of your numbers is out of compliance, you can check your Compliance Report. You can also reach out to your account representative for additional assistance, or email email@example.com if you continue to have trouble.
A: The v2 RC APIs provide the following new functionality:
- Request Regulations requirements via API for a given country, phone number type, and end-user type.
- Manage a library of uploaded End-User information, Supporting Documents, and Regulatory Bundles.
- Granular error handling of Regulations.
- Final API contract for Regulatory Compliance management (contract will not change moving forward).
A: The new v2 RC APIs are currently available for public use. For more information visit this Table of Contents for API docs.
Q: What are the different RC objects?
A: Regulation: Bundle Requirements are the specific prerequisites to create a Bundle. Please note that these can be different depending on the context. For Regulatory Bundles, the Requirement is the Regulation, designated by the Regulation SID.
Regulatory Bundle: A Regulatory Bundle is a container that groups the assignment of End-User, Use-Case Restrictions, Addresses, and Supporting Documents. The collection of these Item Assignments are used to pass a Regulatory Compliance regulation for number
End-User: A collection of metadata representing the entity who will be communicating using one of our products.
Supporting Document: A collection of metadata representing a document to support an End-User’s information, address, or use-case.
Address: A locality-based object that represents the location of an End-User.
A: You can view the workflow below or in the v2 RC APIs Getting Started page.
A: The Twilio Console experience also changed in December 2019 to help you get your numbers to compliance much easier. You will begin this process in the Phone Numbers > Regulatory Compliance section, where you will Create a Regulatory Bundle. Here you will define the country and phone number type you are getting ready to provision, and then follow each step in the creation process providing the required information and documentation. Please note that before completing the Bundle creation process, each ISO country and number type requires different information and/or documents based on specific country regulations.
Once your Bundle has been created and verified, you can now provision phone numbers for the specific country and number type you created the Bundle for. Simply head to the Buy a Number section and follow the on-screen steps to map the new phone number to your Bundle.
A: A BundleSID is an object that acts as a container to store metadata and to reference other objects that comply with a regulation. When a Bundle has been evaluated against a regulation and passed, the BundleSID can then be assigned to a phone number.
A: IdentitySIDs are from v1.0 and v1.5 Regulatory Compliance. Identity objects are simplistic to the old Regulatory Compliance platform and do not have the robust information architecture as the current v2.0 Regulatory Compliance platform. Any migrated IdentitySIDs have a reference to the newBundle SID and both are accepted during provisioning.
Q: Do I need a Bundle SID for each phone number type in every country where I have phone numbers? In some countries the requirements are the same for each bundle type, so do I need a Bundle SID for each phone number type or can I use the same Bundle SID?
A: Yes, a Regulatory Bundle is required for every single regulation. To decrease the complexity, Supporting Documents and End-Users can be re-used for multiple Bundles.
A: No, you can not currently assign phone numbers in bulk to Regulatory Bundles. For high number assignment, it’s best to use the /IncomingPhoneNumbers API.
A: No, Supporting Documents are account specific and cannot be shared across multiple accounts.
A: No, End-Users cannot be shared across multiple accounts.
A: We strive to review all regulatory bundles within a 24-hour timeframe. In the event that your regulatory bundle is not reviewed within 48-hours, please reach out to firstname.lastname@example.org and one of our support agents will assist you in getting your bundle reviewed.
A: The IncomingPhoneNumbers provisioning API was changed in September 2019 to make the Address parameter mandatory. Additionally, the API will be changed in February to require BundleSID. These changes are due to the increasing importance of regulatory compliance for phone numbers across the world. Many countries have recently been increasing their scrutiny of how their phone numbers are used. This increased scrutiny is driven by various factors, including increased incidents of misuse and abuse of phone numbers, heightened national security concerns, and increased pressure on the supply of numbers. As a result, various countries are updating their regulations or placing greater emphasis on the enforcement of existing regulations, including those requiring validation of who is actually using the phone number and exactly where that individual or business is located. Essentially the purpose of these regulations is to verify who is using the number and where they are. Twilio, our customers, end-users, and providers each have a role and a collective obligation to ensure numbers are assigned and used in a manner consistent with the intent of the regulations in the relevant country.
We decided to make these changes with our customers’ best interests at heart as we monitor the regulatory compliance landscape. Twilio, our customers, end-users, and providers each have a role and a collective obligation to ensure numbers are assigned and used in a manner consistent with the intent of the regulations in the relevant country. Our goal is to avoid any of our customers being in jeopardy of losing a phone number due to noncompliance with phone number regulations. We understand that this change may be inconvenient and frustrating. Our goal is to protect your phone numbers within days of provisioning them by collecting the necessary information upfront through the API instead of asking our customers to react in a short time frame when a number is out of compliance.
A: Yes, there are more changes that will be coming. One change will be every phone number that currently only requires a name and address will also require a Bundle with an Address assigned to a Supporting Document.