The FCC has released new rules that expand caller ID authentication requirements, impose enhanced robocall mitigation obligations, create new mechanisms to hold providers accountable for non-compliance, and set forth the STIR/SHAKEN obligations of satellite providers . The FCC is also seeking comment on additional measures it proposes to strengthen the STIR/SHAKEN authentication system. The rules and proposals were announced in the Sixth Report and Order (R&O) and Further Notice of Proposed Rulemaking (FNPRM).
I. All Providers – Must Mitigate Robocalls under “Reasonable Steps” Standard and File Robocall Mitigation Plans in the Robocall Mitigation Database
The R&O requires ALL providers in the call chain, regardless of STIR/SHAKEN status or whether they have the facilities to implement STIR/SHAKEN, to file a Robocall Mitigation Plan (RMP). The RMP must describe the “reasonable steps” the provider has taken to mitigate illegal robocalls that is, the general mitigation standard. The RMP and a certification regarding the STIR/SHAKEN implementation status must be filed in the Robocall Mitigation Database (RMD). The RMP must commit to timely respond and cooperate with all traceback requests from the FCC, law enforcement, and the industry traceback consortium. Newly covered providers must meet the general mitigation standard within 60 days after the R&O is published in the Federal Register.
Providers already registered in the RMD must amend previously submitted RMPs to provide the additional information describing:
Providers with new RMD filing obligations must submit a certification signed by an officer of the company with company information and whether the STIR/SHAKEN authentication framework in the IP portions of its network are fully, partially or not implemented.
New Information to Submit with Mitigation Plans. All current and new providers must submit the following additional information:
RMD Filing Deadlines
II. First Intermediate Providers – Mandatory Authentication Requirement
Under the STIR/SHAKEN framework, originating voice service providers (“gatekeepers”) are required to authenticate calls before they pass calls downstream to “intermediate providers,” which are providers that do not originate or terminate calls. The FCC’s new rules extend the authentication requirement to the first non-gateway intermediate provider in the call path of an unauthenticated “Session Initiated Protocol” or “SIP” call, regardless of traceback obligations. The compliance deadline for first intermediate providers is December 31, 2023.
The FCC notes in its R&O that the new rule requiring first intermediate providers to authenticate calls using STIR/SHAKEN technology addresses a gap in the current system that allows unauthenticated calls to proceed downstream when not authenticated by the originating provider. This second layer of protection seeks to address situations when (i) the originating provider cannot implement the framework due to lack of control over the necessary network infrastructure; or (ii) the originating provider deliberately allows unauthenticated calls to evade call authentication and infiltrate the STIR/SHAKEN framework.
To close this loophole, by December 31, 2023, the FCC mandates first intermediate providers to either upgrade their network to implement STIR/SHAKEN or maintain documented proof that it is participating as a member of a working group, an industry-standards group or consortium that is working to develop a non-IP caller ID authentication solution.
III. FCC’s New Robocall Enforcement Tools
The FCC’s R&O provides new tools for the Enforcement Bureau to hold providers accountable for failing to block illegal robocalls. The Enforcement Bureau may: (i) impose a $2,500 - $23,727 penalty per call for a provider’s failure to block traffic; (ii) remove non-gateway intermediate providers and voice service providers from the RMD for filing a deficient robocall mitigation plan (with a 10-day cure period); and (iii) revoke Section 214 authorization from providers that continue to violate robocall mitigation rules.
IV. Satellite Provider STIR/SHAKEN Obligations
The FCC concluded that satellite providers that originate calls using non-NANP numbers are not “voice service providers” within the meaning of the TRACED Act and therefore are not obligated to implement STIR/SHAKEN.
Small voice providers that are satellite providers originating calls using NANP numbers are provided with an indefinite extension from STIR/SHAKEN implementation to be reevaluated annually. Small voice satellite providers originating calls using NANP numbers must still submit a certification to the RMD like other voice service providers with an extension.
Sixth Further Notice of Proposed Rulemaking
The FCC will consider new rules regarding: (i) use of third-party authentication solutions and whether the FCC should permit, prohibit or limit their use; and (ii) whether the FCC should eliminate the STIR/SHAKEN implementation for providers that cannot obtain an SPC token.
Comments on the proposals are due 30 days after publication in the Federal Register and Reply Comments are due 60 days after publication in the Federal Register.
If you have questions regarding STIR/SHAKEN implementation and preparation for participation, please call an attorney in our Broadband, Spectrum, and Communications Infrastructure practice group.