The Federal Communications Commission (FCC) extended its June 2021 deadline for certain small, non-IP, and other voice service providers to implement STIR/SHAKEN call authentication to reduce illegal and unwanted robocalls but required all providers relying on such extensions to prepare written robocall mitigation plans.
All U.S. voice providers and foreign providers delivering calls to the United States for termination must submit a certification of their implementation of STIR/SHAKEN or a robocall mitigation plan, and all voice service providers will have a new duty not to accept calls directly from service providers that have not submitted such certifications. These new rules set forth in the FCC's Second Report and Order (Second R&O) will significantly impact the operations and reporting obligations of nearly every voice service provider.
As explained in our advisories and posts tracking the TRACED Act's implementation, in March 2020, the Commission began adopting and implementing certain robocall enforcement rules and mechanisms. Those included the establishment of a "traceback" consortium dedicated to identifying and tracing illegal robocalls, the adoption of a new rule requiring all originating and terminating voice service providers to implement the STIR/SHAKEN caller ID authentication framework in all IP portions of their networks by June 30, 2021, and safe harbor protections for providers that unintentionally or inadvertently block lawful calls.
Extensions of STIR/SHAKEN Implementation Deadline
The Second R&O grants the following extensions of the June 30, 2021, STIR/SHAKEN implementation deadline.
Two-Year Extension for Small Providers
Providers with 100,000 or fewer voice subscriber lines are granted until June 30, 2023, to implement STIR/SHAKEN on the IP portions of their networks. Subscriber line counts include all business and residential fixed subscriber lines and mobile phones and aggregated over all of the provider's affiliates.
Extension for Non-IP Portions of Provider Networks
Providers are granted a continuing extension of the STIR/SHAKEN implementation deadline for the non-IP (i.e., TDM) portions of their networks. However, such providers must either:
- (1) Completely upgrade their non-IP networks to IP and implement the STIR/SHAKEN framework; or
- (2) Work to develop a non-IP authentication solution by participating, either on its own or through a third-party representative (such as a trade association of which the provider is a member), as a member of a working group, industry standards group, or consortium until an effective non-IP caller ID authentication framework is fully developed and available on the commercial market.
One-Year Extension for Providers With Services Scheduled for Section 214 Discontinuance
Any provider that has or will file a Section 214 discontinuance application on or before June 30, 2021, is granted a one-year compliance extension to June 30, 2022.
Extension for Providers That Cannot Obtain STIR/SHAKEN Certificates
Participation in STIR/SHAKEN requires a certificate from the program's Governance Authority, which is only issued to providers that file an FCC Form 499-A, have an Operating Company Number (OCN), and can obtain direct access to telephone numbers. The FCC granted these providers an extension until they can obtain a certificate.
The FCC left the door open for provider-specific extensions, "expecting" (but not mandating) providers to file extension requests by November 20, 2020, that specifically address the undue hardships they believe the June 30, 2021, implementation deadline will place upon their resources and technical abilities. The FCC expects to resolve timely requests no later than March 30, 2021.
Robocall Mitigation Program Requirements for Providers Granted Extension
All voice service providers that rely on an extension and do not completely implement STIR/SHAKEN by June 30, 2021, must implement and document a robocall mitigation program designed to reduce unlawful robocalls originating on their networks. The FCC requires all programs to include:
- (1) Detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls;
- (2) Compliance with the described practices; and
- (3) Participation in industry traceback efforts.
The Enforcement Bureau is empowered to prescribe more specific robocall mitigation obligations for any voice service provider it finds has implemented a deficient robocall mitigation program.
All Voice Service Providers Must Submit Certifications and Reject Traffic From Uncertified Providers
The FCC requires every voice service provider to file a certification that its traffic is either signed with STIR/SHAKEN call authentication or subject to a robocall mitigation program. Robocall mitigation certifications must detail the specific "reasonable steps" they have taken to avoid originating illegal robocall traffic.
Additional details such as company contact information will be required, and the FCC plans to announce additional details and a certification deadline during the second quarter of 2021. Providers will have an ongoing obligation to submit updated certifications within 10 days of any change.
The certifications will be used to support a public database. Beginning 90 days after the certification deadline, intermediate and terminating providers will be prohibited from accepting traffic directly from providers not shown in the database as having provided a compliant certification. This rule effectively places an additional duty on all terminating and intermediate providers to monitor the certification database to verify the listing of voice service providers with which they interconnect and to block traffic from non-certified providers.
Intermediate Provider Obligations
The Second R&O requires intermediate carriers to pass unaltered any authenticated Identity header for SIP (IP) calls that they receive from a STIR/SHAKEN participant to the subsequent provider in the call path unless removal is necessary for technical reasons to complete the call or for security reasons where the header presents a threat to its network security.
With respect to unauthenticated calls received in TDM or SIP format, intermediate providers have three options before passing a call to a subsequent provider in SIP:
- (1) Authenticate such calls with "gateway" or "C"-level attestation;
- (2) Authenticate such calls using another method "consistent with industry standards"; or
- (3) In lieu of authenticating each such call, cooperatively participate with the industry traceback consortium and respond to all traceback requests from the FCC, law enforcement, or the consortium.
Prohibition on Line Item Charges for Caller ID Authentication
The Commission prohibits providers from imposing additional line item charges on consumer or small business subscribers for caller ID authentication. This prohibition extends to the cost of upgrading network elements that are necessary to implement caller ID authentication, any recurring costs associated with the authentication and verification of calls, and any costs associated with technology needed to display caller ID authentication information on subscribers' phones.