FCC Expands STIR/SHAKEN to Intermediate Providers and Extends Robocall Mitigation Requirements

The FCC has released new rules that expand caller ID authentication requirements, impose enhanced robocall mitigation obligations, create new mechanisms to hold providers accountable for non-compliance, and set forth the STIR/SHAKEN obligations of satellite providers . The FCC is also seeking comment on additional measures it proposes to strengthen the STIR/SHAKEN authentication system. The rules and proposals were announced in the Sixth Report and Order (R&O) and Further Notice of Proposed Rulemaking (FNPRM).

I. All Providers – Must Mitigate Robocalls under “Reasonable Steps” Standard and File Robocall Mitigation Plans in the Robocall Mitigation Database

The R&O requires ALL providers in the call chain, regardless of STIR/SHAKEN status or whether they have the facilities to implement STIR/SHAKEN, to file a Robocall Mitigation Plan (RMP). The RMP must describe the “reasonable steps” the provider has taken to mitigate illegal robocalls that is, the general mitigation standard. The RMP and a certification regarding the STIR/SHAKEN implementation status must be filed in the Robocall Mitigation Database (RMD). The RMP must commit to timely respond and cooperate with all traceback requests from the FCC, law enforcement, and the industry traceback consortium. Newly covered providers must meet the general mitigation standard within 60 days after the R&O is published in the Federal Register.

Providers already registered in the RMD must amend previously submitted RMPs to provide the additional information describing:

    • How they meet their existing obligation to prevent new and renewing customers from originating illegal calls.
    • Any “know your upstream provider” and “know your customer” procedures in place (as applicable).
    • Any call analytics systems used to identify and block traffic, including whether third-party vendor(s) are used and the name of the vendor(s).

Providers with new RMD filing obligations must submit a certification signed by an officer of the company with company information and whether the STIR/SHAKEN authentication framework in the IP portions of its network are fully, partially or not implemented.

New Information to Submit with Mitigation Plans. All current and new providers must submit the following additional information:

    • The provider’s role(s) in the call chain (for example, a voice service provider serving end-users or a wholesale provider originating calls with STIR/SHAKEN implementation obligations).
    • If asserting no obligation to implement STIR/SHAKEN – The filing must explicitly state the rule and explain in detail why the exemption applies.
    • Certification that the provider has not been prohibited from filing in the RMD.
    • Whether in the prior two years the filing entity was subject to a Commission, law enforcement or regulatory agency action or investigation due to alleged robocalling, or spoofing with details and any final determination; and
    • Providers with an Operating Company Number must submit the OCN or indicate they do not have one.

RMD Filing Deadlines

    • Providers newly subject to RMD filing obligations must submit a certification and mitigation plan to the RMD by the later of (i) 30 days following publication of the Office of Management and Budget approval of the new filing requirements in the Federal Register; or (ii) any deadline set by the FCC’s Wireline Competition Bureau in a Public Notice.
    • Existing filers subject to new or modified requirements must amend their filings with the newly required information by the same deadline.
    • Providers that are required to fully implement STIR/SHAKEN but have not done so by the RMD filing deadline – must indicate so in its filing. Filings must be updated within 10 business days of completing STIR/SHAKEN implementation.

II. First Intermediate Providers – Mandatory Authentication Requirement

Under the STIR/SHAKEN framework, originating voice service providers (“gatekeepers”) are required to authenticate calls before they pass calls downstream to “intermediate providers,” which are providers that do not originate or terminate calls. The FCC’s new rules extend the authentication requirement to the first non-gateway intermediate provider in the call path of an unauthenticated “Session Initiated Protocol” or “SIP” call, regardless of traceback obligations. The compliance deadline for first intermediate providers is December 31, 2023.

The FCC notes in its R&O that the new rule requiring first intermediate providers to authenticate calls using STIR/SHAKEN technology addresses a gap in the current system that allows unauthenticated calls to proceed downstream when not authenticated by the originating provider. This second layer of protection seeks to address situations when (i) the originating provider cannot implement the framework due to lack of control over the necessary network infrastructure; or (ii) the originating provider deliberately allows unauthenticated calls to evade call authentication and infiltrate the STIR/SHAKEN framework.

To close this loophole, by December 31, 2023, the FCC mandates first intermediate providers to either upgrade their network to implement STIR/SHAKEN or maintain documented proof that it is participating as a member of a working group, an industry-standards group or consortium that is working to develop a non-IP caller ID authentication solution.

III. FCC’s New Robocall Enforcement Tools

The FCC’s R&O provides new tools for the Enforcement Bureau to hold providers accountable for failing to block illegal robocalls. The Enforcement Bureau may: (i) impose a $2,500 - $23,727 penalty per call for a provider’s failure to block traffic; (ii) remove non-gateway intermediate providers and voice service providers from the RMD for filing a deficient robocall mitigation plan (with a 10-day cure period); and (iii) revoke Section 214 authorization from providers that continue to violate robocall mitigation rules.

IV. Satellite Provider STIR/SHAKEN Obligations

The FCC concluded that satellite providers that originate calls using non-NANP numbers are not “voice service providers” within the meaning of the TRACED Act and therefore are not obligated to implement STIR/SHAKEN.

Small voice providers that are satellite providers originating calls using NANP numbers are provided with an indefinite extension from STIR/SHAKEN implementation to be reevaluated annually. Small voice satellite providers originating calls using NANP numbers must still submit a certification to the RMD like other voice service providers with an extension.

Sixth Further Notice of Proposed Rulemaking

The FCC will consider new rules regarding: (i) use of third-party authentication solutions and whether the FCC should permit, prohibit or limit their use; and (ii) whether the FCC should eliminate the STIR/SHAKEN implementation for providers that cannot obtain an SPC token.

Comments on the proposals are due 30 days after publication in the Federal Register and Reply Comments are due 60 days after publication in the Federal Register.

If you have questions regarding STIR/SHAKEN implementation and preparation for participation, please call an attorney in our Broadband, Spectrum, and Communications Infrastructure practice group.