Voluntary, cross-industry guidance for protecting the integrity of the streaming economy — published by the Music Fights Fraud Alliance and endorsed across the digital music value chain.
Fraud in the digital music space threatens the integrity of the streaming economy, syphons royalties from legitimate artists and rightsholders, distorts the market, and erodes confidence across the ecosystem. The Music Fights Fraud Alliance was formed, in part, to develop shared standards that protect the rights of creators and the health of the marketplace.
These Recommendations represent a set of core principles and guidance for industry stakeholders to adhere to. They are not binding regulations — they are voluntary guidance grounded in five foundational principles, designed to be adapted to the operational realities of each organization while maintaining a common baseline of integrity across the digital music supply chain.
Every recommendation in the framework is grounded in the same five principles. They are the lens through which we expect every signatory to interpret and implement the guidance.
Intervene early through real-time detection and prevention rather than relying solely on reactive enforcement.
Maintain clear, consistent communication with clients, partners, and platforms. Document policies and decisions openly.
Respond to offenses with a structured, fair enforcement process. Hold every participant in the value chain responsible.
Enable secure data-sharing and collective learning. Fraud is a shared problem requiring shared solutions.
Regularly revisit protocols, tools, and policies to reflect technological advances and evolving fraud typologies.
Each recommendation applies across the value chain — DSPs, labels, distributors, publishers, PROs, and aggregators. Click any recommendation to expand for the full guidance.
Robust identity verification is a foundational defense against fraud. All organizations should adopt KYC practices modeled on standards used in regulated sectors such as banking and fintech, adapted for the music distribution context.
Organizations that directly engage with, or on behalf of, an individual artist, songwriter, producer, or other creative individual should vet and verify their identity and legitimacy prior to entering into a business relationship, onboarding as a client, granting access to any services, or collecting or distributing royalties.
Organizations providing services to business clients should conduct due diligence on the business entity itself — verifying business registration and profile information, financial documentation, digital footprint, and that the entity legitimately owns or represents the intellectual property and catalog it claims.
Establishing the origin and authenticity of creative works is essential to maintaining the integrity of the global music ecosystem. Organizations should validate authenticity of content prior to selling, distributing, hosting, or otherwise making it available.
Organizations should verify the legitimacy of copyright ownership and authorship claims, and should strive to validate attribution and metadata accuracy of all creative personnel associated with the content. Organizations should also assess content history for any discrepancies in authorship or ownership claims.
Organizations should ensure that AI-generated content and content with synthetic elements have obtained all applicable rights, licenses, and authorizations. Organizations should verify that the origin of such content is not misrepresented in order to circumvent policy or guardrails.
Organizations should establish robust, continuous monitoring systems to detect fraudulent or anomalous performance activity at the earliest possible stage. Any abnormal or unexplained activity may require additional analysis.
Organizations should implement structured processes for ingesting, classifying, and acting upon fraud reports and notices received from partners. They should also deploy or integrate tools capable of monitoring streaming patterns in real time or near-real time.
When suspicious activity is detected, organizations should promptly notify affected clients and partners, and maintain a documented record of all communications, responses, and outcomes.
Organizations should implement globally recognized financial controls and regulations over the payout process designed to prevent, detect, and recover funds associated with fraudulent activity.
Organizations should monitor payout activity for suspicious behavior and work with authorities, payment processors, and other stakeholders to flag associated accounts. They should also consider hold periods, payout thresholds, and additional controls to limit bad actors from quickly extracting funds.
Organizations should maintain clear contractual authority and operational processes to recover royalties paid on streams that are subsequently determined to be fraudulent. Where fraud involves criminal activity, organizations should have established protocols for engaging law enforcement, regulatory agencies, and rights organizations.
Fraud detection is only as strong as the reporting systems that capture, track, and communicate findings. Organizations should adopt practices that ensure data integrity, internal visibility, and appropriate sharing across the ecosystem.
Organizations should adhere to global standards governing privacy, consumer protection, and data sharing.
Internally, organizations should maintain unified and standardized reports and communications across key departments. Externally, they should capture and share actionable data with partners aligned with industry standards and expectations.
Organizations should establish clear internal procedures for investigating suspected fraud and responding to confirmed incidents. A structured approach ensures that investigations are thorough, decisions are documented, and responses are proportionate.
Organizations should adopt a tiered incident classification system that distinguishes between routine flags, moderate concerns, and critical incidents. Each tier should have defined response timelines, escalation paths, and communication protocols.
Post-incident reviews should be conducted for all significant cases to capture lessons learned and refine detection capabilities.
Detection without consistent enforcement is insufficient. Organizations should adopt a structured framework for applying sanctions that are proportionate, transparent, and consistently applied across all clients.
Client and partner agreements should define prohibited activities, grant the right to investigate and take enforcement action, establish clawback and offset rights, include cooperation obligations during investigations, and specify grounds for suspension or termination.
Sanctions should escalate in proportion to severity and frequency of violations, with specific enforcement actions clearly documented and communicated. Organizations should provide clients with a fair opportunity to contest enforcement decisions.
Fraudsters exploit gaps between companies, platforms, and enforcement processes. The industry's collective defense depends on collaboration.
Organizations should actively participate in cross-industry efforts — such as those facilitated by the MFFA — to align practices, identify solutions, and coordinate enforcement.
Organizations should participate in controlled intelligence and data-sharing mechanisms while ensuring compliance with applicable privacy regulations.
The fraud landscape evolves rapidly. Organizations should maintain ongoing awareness of emerging threats, technologies, and tactics to ensure their prevention efforts remain effective.
Organizations should invest in continuous education and training for relevant personnel, covering evolving fraud schemes, emerging technologies, compliance requirements, and industry developments.
Organizations should also maintain up-to-date security measures and compliance protocols that reflect the current threat environment and applicable regulatory requirements.
Streaming services, major and independent labels, distributors, publishers, performing rights organizations, and artist and manager groups have endorsed the recommendations. The list grows as new endorsements are confirmed.
Stand with the industry's first cross-stakeholder fraud mitigation framework. Endorsing organizations are listed publicly and receive an endorsement kit with implementation guidance, copy blocks, and graphics.
Submit your details and a member of the MFFA team will follow up within two business days to confirm and walk through next steps. New endorsers are added to the public list as they are confirmed.