Purpose
Sinch is committed to maintaining a trusted messaging ecosystem that protects consumers, supports legitimate messaging programs, and meets the compliance expectations established by Mobile Network Operators (MNOs), industry associations, and applicable regulatory requirements.
This document defines the Sinch process for identifying, managing, communicating, remediating, and closing Messaging Compliance Incidents.
Sinch follows established industry compliance frameworks, including severity definitions, remediation timelines, Service Level Agreements (SLAs), and cure periods established by:
Cellular Telecommunications Industry Association (CTIA)
Mobile Network Operators (MNOs)
Canadian Telecommunications Association (CTA)
Canadian wireless carriers
Applicable messaging ecosystem standards
This framework applies to Sinch messaging products operating in the United States and Canada, including:
Short Code Messaging
Toll-Free Messaging
A2P Long Code Messaging
A2P 10DLC Messaging (United States)
RCS Messaging
Other sanctioned A2P messaging channels supported by Sinch
Compliance Incident Definition
A Compliance Incident is any event where messaging activity, registration information, consent practices, traffic patterns, customer behavior, or messaging content may violate:
Carrier messaging requirements
CTIA or CTA industry standards
Sinch Acceptable Use Policy
Customer contractual requirements
Applicable laws and regulations
Compliance incidents may be identified through:
Carrier monitoring
Industry audits
Consumer complaint reporting
Spam reporting channels
Sinch Compliance Operations
KYT (Know Your Traffic) monitoring
Content and campaign review
Registration and consent validation
Sinch-initiated incidents carry the same operational importance as carrier or industry-initiated compliance actions.
United States Compliance Incident Severity Framework
Sinch utilizes the CTIA and MNO-defined severity framework as the baseline for US messaging compliance incidents.
The CTIA Short Code Monitoring Handbook severity model provides the foundation for severity classification, response expectations, remediation timelines, and cure periods.
Severity
Definition
Examples
Required Response
Severity 0
Critical compliance incident involving immediate consumer harm, fraud risk, abuse, or significant ecosystem impact
Phishing, fraud, malicious messaging, unauthorized traffic, significant consumer harm
Immediate action, possible suspension, investigation, RCA, carrier remediation
Severity 1
High priority compliance issue requiring expedited correction
Significant policy violations, consent concerns, elevated complaint activity, campaign abuse
Immediate corrective action within defined cure period
Severity 2
Compliance issue requiring remediation but limited immediate impact
Registration issues, content concerns, campaign health issues
Corrective action and monitoring
Severity 3
Lower risk compliance observation
Minor issues, informational findings, best practice gaps
Notification and remediation guidance
Canada Compliance Incident Severity Framework
Sinch Canada follows a similar compliance incident methodology aligned with Canadian carrier expectations, CTA guidance, and Canadian messaging ecosystem practices.
Canadian compliance actions utilize comparable severity concepts and remediation requirements.
For Canadian Short Code programs, the enforcement approach follows the notification and remediation framework outlined by Canadian industry guidance.
Canadian severity classifications are maintained separately:
Severity
Definition
Examples
Required Response
Severity 1
Critical compliance incident requiring immediate intervention
Fraud, phishing, malicious messaging, significant unauthorized traffic, consumer harm
Immediate containment, investigation, corrective action, possible suspension
Severity 2
High priority compliance issue requiring timely remediation
Consent concerns, campaign violations, elevated complaints, unacceptable traffic patterns
Corrective action within required remediation period
Severity 3
Compliance concern requiring correction
Registration issues, content concerns, campaign health degradation
Remediation plan and monitoring
Severity 4
Informational or lower-risk issue
Minor findings, administrative gaps, recommendations
Notification and correction
US / Canada Severity Alignment
Although severity numbering differs between regions, Sinch aligns response actions based on risk and required remediation urgency.
Business Impact
United States
Canada
Critical / Immediate Consumer Risk
Severity 0
Severity 1
High Risk Compliance Issue
Severity 1
Severity 2
Campaign Health Issue
Severity 2
Severity 3
Informational / Best Practice
Severity 3
Severity 4
Incident Intake and Validation
Upon identification of a potential Compliance Incident, Sinch Compliance Operations will:
Validate the reported activity
Identify impacted:
Customer
Brand
Campaign
Messaging product
Sending resources
Assign severity
Open a compliance ticket
Begin required remediation actions
The compliance ticket is the system of record for:
Incident details
Evidence
Communications
Customer actions
Remediation deadlines
Closure approval
Severity 0 / Critical Incident Process (United States) & Severity 1 (Canada)
These incidents require immediate action.
Examples include:
Fraudulent messaging
Phishing
Malicious content
Account compromise
Significant unauthorized messaging
Consumer harm
Sinch Actions
Upon receiving a Severity 0 notification from an MNO, CTIA or a Severity 1 from Canadian MNO or CTA:
Sinch will:
Notify the affected Partner, CSP, or Brand
Identify impacted messaging resources
Suspend or restrict traffic when required
Begin investigation
Collect evidence
Coordinate remediation
A Root Cause Analysis (RCA) may be required.
Brand / Partner Responsibilities
The Brand or Partner must:
Immediately stop offending activity
Investigate the cause
Provide requested evidence
Submit RCA documentation within the required timeframe
Implement corrective controls
RCA documentation should include:
Summary of incident
Root cause
Timeline
Impact assessment
Corrective actions
Preventative measures
Reactivation may require carrier approval. Not all incidents will qualify for unsuspension.
Sinch-Initiated Critical Compliance Incidents - Severity 0
Sinch may identify critical incidents before escalation from a carrier.
Examples:
Fraud detection through KYT monitoring
Suspicious traffic patterns
Customer account compromise
Abuse indicators
Significant consent failures
Sinch may:
Suspend traffic
Restrict messaging resources
Require immediate remediation
Require RCA
Deprovision resources when necessary
Proactive Compliance Alerts
Sinch may issue proactive compliance alerts when campaign health indicators require attention.
Examples:
Increasing opt-out rates
Elevated spam complaints
7726 / 7727 complaint signals
Content concerns
Consent concerns
Registration inconsistencies
Proactive Alerts require customer action but generally do not require RCA unless requested.
Opt-In Consent Audits
Consent-related concerns may trigger an Opt-In Consent Audit.
Audits may be initiated by:
CTIA
MNOs
CTA
Canadian carriers
Sinch Compliance Operations
Reviews may include:
Opt-in records
Messaging logs
Consent collection methods
Consumer interaction history
Opt-out handling
Required remediation may include:
Campaign updates
Consent process changes
Traffic restrictions
Additional verification
Customer Communication and Ticket Management
All compliance incidents are managed through Sinch ticketing workflows. See Process Documentation below.
Each ticket will contain:
Severity level
Incident description
Impacted resources
Required action
Cure date or remediation deadline
Supporting information
Closure criteria
Customers and partners are expected to provide timely responses and complete remediation actions.
Incident Closure
An incident may be closed when:
Remediation is completed
Required documentation is provided
Compliance risk is addressed
Traffic behavior is verified
Monitoring confirms improvement
Closure does not remove ongoing compliance obligations.
Repeat or unresolved incidents may result in:
Increased monitoring
Additional restrictions
Suspension
Resource deprovisioning
Governance
Sinch Compliance Operations owns administration of this process.
Sinch reserves the right to take action necessary to protect:
Consumers
Carrier networks
Messaging ecosystems
Customers operating compliant messaging programs
This process will evolve as CTIA, CTA, MNO, and regulatory expectations change.
... View more