Resellers of communications are included within the “voice service provider” definition but do not have control over the way in which their calls are transmitted across the network. Resellers should work with their facilities-based vendor to determine whether outbound calls will be authenticated and how the attestation level of calls will be determined. In addition, resellers should confirm that inbound calls will be verified before being presented for termination.
A communications service provider’s obligations will vary depending upon the role that it serves for particular calls, or even whether it is the provider of voice service on a particular call. Therefore, providers should examine their services closely to determine the extent to which the provider offers voice service on the call.
What does STIR/SHAKEN require voice service providers to do?
The obligations of a voice service provider depend on where the provider is in the call path for a particular call:
Originating providers must: (a) authenticate and verify SIP calls originated and terminated on their networks, and (b) authenticate SIP calls it will exchange with other voice service providers.
Intermediate providers must: (a) pass authentication information to the next provider in the chain unaltered, and (b) authenticate un-signed calls (subject to certain exceptions).
Terminating providers must verify SIP calls they receive from other providers for termination to the end user.
Small Providers – Providers with 100,000 or fewer subscribers lines have an additional two years, until June 30, 2023, to implement STIR/SHAKEN.
Unable to Obtain SPC Tokens – Providers that are unable to obtain the SPC tokens necessary to authenticate calls have an indefinite exemption from implementing STIR/SHAKEN until the provider is capable of obtaining a token. However, calls from this service provider may be authenticated by the next carrier in the chain of completion. Such calls are likely to receive a lower attestation level than the originating service provider could provide.
Services Subject to Discontinuance – For services subject to a pending Section 214 discontinuance as of June 30, 2021, providers have an additional year, until June 30, 2022, to implement STIR/SHAKEN for the services, unless the service is discontinued before then.
Non-IP Portions of Networks – The non-IP portions of a provider’s network have an indefinite exemption from STIR/SHAKEN implementation but are subject to other requirements discussed below.
Case-by-Case Exemption – Providers can petition the FCC’s Wireless Bureau for an exemption or extension for implementing STIR/SHAKEN on a case-by-case basis; the formal petition deadline has passed, but the Bureau may still consider new petitions.
the provider must take reasonable steps to avoid originating illegal robocall traffic (the FCC recommends the use of reasonable analytics);
the provider must commit to respond to requests from the Industry Traceback Group to trace suspect calls for mitigation efforts; and
the provider must cooperate in investigating and stopping any illegal robocallers (meaning that the provider must block calls or callers that are believed to be illegal).
Resellers – The FCC has specified that the STIR/SHAKEN implementation requirement does not apply to providers that lack control of the network infrastructure necessary to implement the framework, so resellers do not have any implementation obligations themselves. However, because a wholesaler may not have a direct relationship with the resellers’ subscribers, the wholesaler may not be positioned to provide higher-level attestations for the subscribers to ensure those calls are trusted. As such, resellers – particularly those with high-volume calling subscribers – may want to utilize contractual mechanisms with their wholesalers so that their subscribers’ calls will be signed with the highest attestation level possible.
Further, the robocall mitigation program requirements apply to a reseller regardless of its STIR/SHAKEN obligations. Resellers should develop plans to identify and mitigate unlawful robocalls originating with their customers.
Exclusive Wholesalers – Because wholesalers control the network infrastructure, they are responsible for implementing STIR/SHAKEN or robocall mitigation across their networks and for complying with the certification requirements. Because wholesalers will be responsible for blocking calls that are determined or suspected to be illegal, they may have to block calls from their resale customer subscribers. Additionally, wholesalers may be subject to greater scrutiny if the subscribers of their resale customers generate illegally spoofed calls. Wholesalers should consider using contractual mechanisms with their resale customers to prevent the customers from developing relationships with subscribers who generate illegally spoofed calls and to limit liability when the wholesaler must block the calls of a resale customer’s subscribers.
Foreign Voice Service Providers – Although the FCC does not have the authority to mandate that foreign voice service providers implement STIR/SHAKEN, foreign voice service providers are, as a practical matter, obligated to file a robocall mitigation certificate with the FCC that they have implemented a robocall mitigation program in order to avoid blocking of their traffic by downstream providers.
International Gateways – There is no process under the current STIR/SHAKEN framework for international gateway providers to authenticate calls they receive from their foreign provider customers. This is largely because of differences in international standards for call authentication, which are still under development. However, international gateways are permitted to authenticate calls according to industry standards, and thus may be able to obtain relevant information from their customers to satisfy the particular attestation standards established.