On November 22, 2024, the FCC released the Report and Order aiming to improve the FCC’s caller ID authentication rules by clarifying third-party roles and ensuring the responsible party adheres to STIR/SHAKEN standards, thereby reinforcing accountability. The item was adopted at the November Open Meeting. There were no notable changes from the draft Report and Order.
The R&O adopts the following requirements:
- Definition of “Third-Party Authentication” – The FCC defines the term “third-party authentication” to outline permissible practices. Third-party authentication “refer[s] to scenarios in which a provider with a STIR/SHAKEN implementation obligation under the Commission’s rules enters into an agreement with another party—a ‘third party’—to perform the technological act of signing calls on the provider’s behalf.”
- Authorization and Conditions – The FCC authorizes providers with STIR/SHAKEN implementation obligations to engage third parties for digitally “signing” calls, under two conditions:
- (1) The provider must make key “attestation-level” decisions for caller ID authentication; and
- (2) All calls must be signed using the provider’s certificate, not a third party’s.
- Certification Requirements – The FCC requires all providers with implementation obligations to obtain a Service Provider Code (SPC) token from the Policy Administrator and present it to a STIR/SHAKEN Certificate Authority for a digital certificate.
- Compliance for Certification – The FCC mandates that any provider certifying partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database must have an SPC token and digital certificate, signing all calls with that certificate, either themselves or when working with a third party to perform the technological act of signing calls.
- Recordkeeping Requirements – The FCC adopts recordkeeping requirements for third-party authentication to ensure compliance with the Commission’s rules.
Please Contact Us with any questions.