Robocall Mitigation Tips for Providers Amid FCC Crackdown
By: Jessica Gyllstrom and Ashley Brydone- Jack
Law 360 (March 10, 2023)
The divided Federal Communications Commission may be deadlocked on some policy issues, but there is no partisan disagreement on the need to crack down on illegal robocalls. And, the FCC is sending a clear anti- robocall message to voice service providers: Know your customers or risk the consequences.
In response to congressional directives and consumer complaints, the commission is making combating illegal robocalls a top consumer protection priority. The agency is continuing to work diligently to adopt rules that help identify and eliminate the source of these illegal calls. And of late, the FCC has been taking significant actions to enforce these rules.
For example, based on a finding that international carrier Global UC Inc. failed to implement required caller ID verification technology to combat robocalls, the FCC adopted a first-of-its-kind order last November prohibiting U.S. carriers from accepting Global UC traffic, thereby effectively denying it access to the U.S. voice market.
Then, in December of last year, the commission proposed a record- breaking fine of nearly $300 million against the all-too-familiar fraudulent auto warranty robocall campaign.
Now, in just the first six weeks of 2023, the FCC’s Enforcement Bureau already has issued four separate cease-and-desist letters to U.S. voice service providers, requiring them to stop originating apparently illegal robocall traffic on their networks. The letters warned that failing to comply could result in downstream providers blocking all of the originating provider’s traffic.
Notably, one of those cease-and-desist letters was issued to Twilio which had over $1 billion in revenues in the fourth quarter of 2022, making it one the larger communications businesses in the U.S.
This obviously is a serious matter, particularly since Twilio previously publicly announced that it was in full compliance with the FCC’s STIR/SHAKEN protocol, which is intended to ensure that all transmitted phone calls are legitimate and authenticated.
Other carriers need to familiarize themselves with the details of Twilio’s case and take whatever steps they can to avoid finding themselves in the FCC’s crosshairs.
The FCC letter to Twilio indicates that a Twilio client, PhoneBurner, had enabled an apparently illegal robocall campaign on behalf of a PhoneBurner client, MV Realty PBC LLC. MV Realty was improperly initiating calls to wireless phones without consent.
Twilio claimed to believe that consent had been received, perhaps based upon on information provided to it by its customer PhoneBurner.
Nonetheless, Twilio was deemed by the FCC to be responsible, ordered to investigate the identified traffic and required to take steps to prevent Twilio’s network from continuing to be a source of apparently illegal robocalls.
Failure to do so could result in the removal of Twilio’s certification in the robocall mitigation database, which would cause all intermediate and terminating voice service providers to cease accepting its calls.
More enforcement letters of this nature are likely. In a February presentation sponsored by the Federal Communications Bar Association, the FCC’s Enforcement Bureau confirmed that cracking down on robocalls is a top priority for the agency in 2023.
Given this focus, voice service providers should review and update their robocall mitigation policies and practices. While most providers are familiar with their STIR/SHAKEN implementation obligations, there are other mitigation techniques that deserve attention as well.
In the 2020 Fourth Call Blocking Order, the FCC adopted, among others, a requirement that originating providers must “know their customers” and exercise “due diligence” to ensure that their customers are not utilizing the voice service provider’s services to originate illegal robocalls.
“Due diligence” is a favorite term of regulators and attorneys but, unfortunately, it does not lend itself to a precise meaning. That is evident here. The FCC indicated that imposing and enforcing protective contract terms could be a valuable tool in meeting the know-your- customer obligation.
But, it refrained from specifying a required or recommended set of model contract provisions, stating that voice service providers needed flexibility to develop procedures that worked with their specific business practices and network systems.
So, what is a carrier to do? First, having written contract provisions that require a customer to acknowledge and agree to abide by the FCC’s rules pertaining to robocalls is important. This will provide evidence of the carrier’s attentiveness to these requirements and provide a contractual basis to terminate a customer who does not comply.
The contract also should enable the carrier to request and receive evidence that the customer maintains an FCC compliant do-not-call list.
And, one lesson from the Twilio case is that, upon the receipt of information that puts a carrier on notice that a customer may not be abiding by these requirements — e.g., an inquiry from the registered industry traceback consortium — the carrier needs to investigate and take action to put an end to any unlawful calls.
What else can a provider do to better know its customers and better protect consumers? The answer depends on what is likely to work best for your network and customer base. Different call patterns and customer profiles may require different approaches. The following options may be worth considering:
1. Know Your Customer’s Business
When onboarding new customers, collect detailed information regarding the customer’s business. In addition to customer-provided information, check websites, social media pages and posts, traceback data, and recent regulatory filings.
Determine whether the customer will be using, or offering to third parties, auto dialers or power dialers, and whether the customer expects to be generating large call volume — which is discussed further below. Also, ascertain whether the customer will be using, or offering to others, a branded ID service that might allow the calling party to mask or misrepresent the caller’s identity.
For existing clients, voice service providers can review the information they have on file to determine whether they need to collect additional information from their customers to protect against any claims of illegal robocalls.
2. Know Your Customer’s Identity and History
Seek to ascertain the real party in interest of the customer and compare the company information and principals’ names to global sanctions and watch lists, FCC orders and enforcement actions, and state investigations or reports.
Rebranding is a common tactic of robocallers to escape enforcement, so it will be helpful to determine if associated individuals or affiliated companies have been involved with illegal robocalling schemes in the past.
3. Pay Attention to High Call Volumes
The FCC’s robocall enforcement actions typically target high volume violators. For example, the auto warranty scammer placed over 5 billion calls in a three-month period! Therefore, voice service providers should be particularly diligent in investigating customers who are promising or generating an unusually high volume of originating calls.
4. Refresh Your Data
Once a customer relationship has been established, voice service providers may also consider ways to ensure their customers are complying with the FCC’s rules and requirements on an ongoing basis. Such methods may include audit rights and regular contractual renewals that require review of the customer’s practices and recertification that they are complying and will continue to comply with the FCC’s rules and procedures.
5. Enable Yourself to Act Quickly
Twilio was obligated to report to the FCC quickly — within 48 hours — and to take corrective action promptly within 14 days. As a consequence, providers will want to ensure their contracts do not require lengthy or complicated notice procedures that could prevent them from swiftly addressing a problem and complying with the FCC’s requirements.
Providers also should consider clauses that require resellers or over-the-top service providers to include similar provisions in their customer contracts with third parties.
Please note that the foregoing are suggestions only; this list is not exhaustive, nor should it be considered legal advice for compliance purposes.
While this article has focused on the FCC’s know-your-customer requirement, this is but one aspect of robocall-related compliance imposed by the FCC. Providers should implement FCC- compliant policies consistent with their own network operations and business plans.
In sum, the effort to stop illegal robocalls has bipartisan support and enforcement activity
will continue to ramp up. In recent congressional sessions, members have introduced multiple bills intended to expand the FCC’s authority and tools to address this problem.
And, the FCC has continued to initiate rulemakings to expand its arsenal, including recent items exploring “robotext” mitigation, additional filing and certification requirements, and expanding the authentication requirements to different types of providers.
Since enforcement actions will be on the rise, voice service providers need to be diligent in establishing and enforcing effective techniques for identifying and mitigating the use of their networks to deliver illegal robocalls.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.