On March 20, 2023, the FCC released a Sixth Report and Order and Sixth Further Notice of Proposed Rulemaking that adopts a mandatory authentication requirement for the first intermediate providers in the call path, expands robocall mitigation requirements for all providers, adopts additional enforcement tools, and seeks comment on additional steps to further enhance the effectiveness of the STIR/SHAKEN framework. The item was adopted at the Open Commission Meeting.
Sixth Report and Order (“R&O”)
Intermediate Provider Mandatory Authentication Requirement
- The R&O adopts a mandatory requirement for the first (non-gateway) intermediate provider in the path of an unauthenticated SIP call to authenticate the call, regardless of its traceback obligations. The compliance deadline is December 31, 2023.
- The FCC does not require all intermediate providers in the path to authenticate at this time, but recognizes that it may consider expanding the requirement to all intermediate providers in the future. The FCC takes this incremental approach in recognition of the significant costs associated with this new requirement.
- Intermediate providers subject to this requirement must either upgrade their network to allow for the initiation, maintenance, and termination of SIP calls to fully implement STIR/SHAKEN, or must maintain documented proof that it is participating as a member of a working group, industry standards group, or consortium that is working to develop a non-IP caller identification authentication solution.
- Intermediate providers subject to this requirement must comply with, at a minimum, the versions of the STIR/SHAKEN standard in effect at the time of their authentication compliance deadline (December 31, 2023).
- The FCC delegates to the Wireline Competition Bureau the authority to determine whether to seek comment on requiring compliance with revised standards that come into effect after their respective compliance deadlines, and whether to impose such requirements.
Robocall Mitigation and Database Filing Obligations for all Providers
- The R&O requires all providers (including intermediate providers and voice service providers that have implemented STIR/SHAKEN) to take reasonable steps to mitigate illegal robocalls and file certifications regarding STIR/SHAKEN implementation along with robocall mitigation plans (“RMP”) in the Robocall Mitigation Database (“Database”).
- “Reasonable Steps” Mitigation Standard Applied to All Providers: The R&O applies the obligation to mitigate illegal robocalls under the general “reasonable steps” standard to all providers. The FCC refrains from requiring specific measures, but notes that a mitigation program will be “sufficient if it includes detailed practices that can reasonably be expected to significantly reduce the carrying or processing or origination of illegal robocalls.” Such programs must also commit to timely respond to all traceback requests from the FCC, law enforcement, and the industry traceback consortium and to cooperate with such entities. Providers newly covered by the general mitigation standard will be required to meet that standard within 60 days following Federal Register of the publication of this Report and Order.
- Expanded Robocall Mitigation Database Filing Obligation: The R&O requires all providers, regardless of whether they are required to implement STIR/SHAKEN, to file a RMP along with a certification in the Database. The draft R&O also extends the prohibition on accepting traffic from unlisted (including de-listed) providers to non-gateway intermediate providers.
- RMP Contents:
- Consistent with existing providers’ obligations, all providers’ RMPs must describe the specific “reasonable steps” the provider has taken to avoid the origination, carry, or processing of illegal robocall traffic as part of its RMP.
- The FCC also imposes specific additional requirements for the contents of RMPs filed in the database: (1) voice service providers must describe how they are meeting their existing obligation to take affirmative, effective measures to prevent new and renewing customers from originating illegal calls; (2) non-gateway intermediate providers and voice service providers must, like gateway providers, describe any “know-your-upstream provider” procedures in place designed to mitigate illegal robocalls; and (3) all providers must describe any call analytics systems they use to identify and block illegal traffic, including whether they use a third-party vendor or vendors and the name of the vendor(s).
- To comply with the new requirements to describe their “new and renewing customer” and “know-your-upstream provider” procedures, providers must describe any contractual provisions with end-users or upstream providers designed to mitigate illegal robocalls.
- Certification Contents:
- Baseline Information: All providers newly obligated to submit a certification to the Database must submit the following information: (1) whether it has fully, partially, or not implemented the STIR/SHAKEN authentication framework in the IP portions of its network; (2) the provider’s business name(s) and primary address; (3) other business name(s) in use by the provider; (4) all business names previously used by the provider; (5) whether the provider is a foreign provider; and, (6) the name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues. The certification must be signed by an officer of the company, and updates must be submitted within 10 business days of “any change in the information” submitted. Certifications and RMPs must be submitted in English or with a certified English translation.
- Additional Information: The FCC requires all providers: (1) to submit additional information regarding their role(s) in the call chain; (2) asserting they do not have an obligation to implement STIR/SHAKEN to include more detail regarding the basis of that assertion; (3) to certify that they have not been prohibited from filing in the Database; and (4) to state whether they are subject to a Commission, law enforcement, or regulatory agency action or investigation due to suspected unlawful robocalling or spoofing and provide information concerning any such actions or investigations.
- Filing Deadlines:
- Providers newly subject to the above filing obligations must submit a certification and RMP to the Database by the later of: (1) 30 days following publication in the Federal Register of OMB approval of any associated PRA obligations; or (2) any deadline set by the Wireline Competition Bureau through Public Notice.
- Existing filers subject to new or modified requirements adopted in the R&O must amend their filings with the newly required information by the same deadline.
- Compliance with the requirement to refuse traffic from unlisted providers will be required no sooner than 90 days following the deadline for non-gateway intermediate providers to submit a certification to the RMD.
- RMP Contents:
Additional Enforcement Authority
- The R&O provides the Enforcement Bureau with new tools to impose penalties against bad actors, including the following:
- The adoption of a per-call forfeiture penalty for failure to block traffic in accordance with the FCC’s rules and set maximum forfeitures for such violations;
- The authority to revoke Section 214 and other FCC authorizations, licenses, and certifications of repeated offenders
- The authority to remove non-gateway intermediate providers from the database for violations of the rules;
- In the event that a provider’s Database filing is facially deficient, the Enforcement Bureau may remove a provider from the Database using an expedited two-step procedure, which entails providing notice and an opportunity to cure the deficiency.
Satellite Provider STIR/SHAKEN Obligations
- The R&O concludes that satellite providers that do not use NANP numbers to originate calls or only use such numbers to forward calls to non-NANP numbers are not “voice service providers” under the TRACED Act and therefore do not have a STIR/SHAKEN implementation obligation.
- The R&O also provides an indefinite extension from TRACED Act obligations to satellite providers that are small voice service providers and use NANP numbers to originate calls on the basis of a finding of undue hardship.
International Roaming Traffic
- The R&O declines to adopt rules concerning the differential treatment of international roaming traffic.
Sixth Further Notice of Proposed Rulemaking (“FNPRM”)
- Third Party Caller ID Authentication: The FCC explains that the record confirms that third-party authentication is occurring, but does not, however, provide sufficient information to fully assess the impact that explicitly authorizing or prohibiting third-party authentication may have on the STIR/SHAKEN ecosystem. Therefore, the Commission seeks further comment on the use of third-party solutions to authenticate caller ID information and whether any changes should be made to the Commission’s rules to permit, prohibit, or limit their use.
- Eliminating the SPC Token Implementation Extension: The FCC seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for providers that cannot obtain an SPC token.
- Legal Authority: The FCC seeks comment on its legal authority to adopt the proposals in draft FNPRM.
- Digital Equity and Inclusion: The FCC seeks comment on how its proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility.
Please Contact Us if you have any questions