To combat the increasing rate of fraudulent spam callers on the voice network, the FCC took action by mandating that service providers must implement the STIR/SHAKEN caller authentication framework in order to begin validating the identity of originating callers. They set the deadline for the implementation of this framework for June 30th, 2021.
As this date grew nearer, the FCC realized some service providers were behind on the deployment of the STIR/SHAKEN standards. In order to keep track of how many providers had implemented, how many were in the process of doing so, and how many might request extensions past the deadline, in April of 2021 the FCC’s Wireline Competition Bureau announced the opening of the Robocall Mitigation Database.
Accessible to the public, this database includes filing instructions and deadlines for communications providers implementing, or planning to implement, the STIR/SHAKEN Standards. Pursuant to 47 CFR § 64.6305(b), all voice service providers must file certifications to the Robocall Mitigation Database providing detailed information regarding their implementation of the STIR/SHAKEN caller ID authentication framework and/or a Robocall Mitigation Plan.
“This is a big positive for the industry because while we do want the STIR/SHAKEN effort to be industry-led, there always has to be something that guides who participates and provides the policy. The FCC doing this really provides the central guideposts of conforming the policies to who's participating."
— Quote from Chris Wendt; Tuesday Talks Episode “Mythbusting Part Two: The Current State of STIR/SHAKEN Implementation”
The FCC structured the June 30th STIR/SHAKEN implementation deadline and the database so that voice service providers would have to certify that they have either entirely or partially deployed the STIR/SHAKEN standard, or if they have not yet done so, that they have implemented and are following a detailed Robocall Mitigation Plan.
If you are a provider of voice service, whether it’s wireless, cable, VoIP, interconnected VoIP, one-way VoIP, two-way VoIP, or any entity that enables two-way voice communications that interconnects to the PSTN and utilizes North American Numbering Plan (NANP) resources or numbers, you are required to register.
Transit or intermediate providers neither originate or terminate voice traffic. The FCC has imported intermediate providers into the database so that on September 28th, if you’re a voice service provider and are not listed in the Robocall Mitigation Database, any other voice service provider or intermediate provider is prohibited from accepting your traffic.
It is technically required for foreign voice service providers to register in the database, however the FCC recognizes that it doesn’t have jurisdiction over foreign service services. The FCC acknowledged this and stated that foreign voice service providers who are using NANP resources will not have their calls completed to the United States unless they file within the Robocall Mitigation Database. They either have to have deployed STIR/SHAKEN or have a Robocall Mitigation Plan that they are following.
The FCC framed this section to place the obligation on the intermediate providers, or else domestic service providers in the U.S. will not be able to accept their traffic, keeping in mind that this applies to foreign providers that are using NANP resources, which amounts to a small subset. The June 30th deadline also does not apply for foreign providers though they must register by September 28th or else risk their voice traffic being blocked once it reaches the U.S.
When the FCC established the framework for the Robocall Mitigation Plan, they did it in a non-prescriptive manner. They did not list what you had to do, how to do it, or what the details were, and instead, left that up to the service providers to decide. What they did make clear was the expectation of a detailed description of the measures being put in place that can reasonably be expected to significantly reduce the origination of illegal robocalls.
“The plan must be detailed, and it must be followed.”
— Kevin Wiley, Wiley Rein LLP
The plan is essentially your local policy and how you plan to assign A, B, or C attestation based on what you know about the traffic on your network. The STIR/SHAKEN standards were not designed to tell you whether a call is good, bad, indifferent, or illegal. They were designed to convey if a number is valid and where it came from can be validated. So even an A-Level attested call could be an illegal call, making it critical for a provider's Robocall Mitigation Plan to look beyond attestation level and concern itself with reducing illegal or bad traffic from originating on their network.
If a voice provider fails to do any of that or does not follow the necessary due diligence of making sure they are not originating bad traffic on their network, they could be opening themselves up to enforcement action, especially if their network is used as a platform for originating illegal robocalls. If the plan itself is only a few sentences and doesn’t have any detailed structure as to the actions they plan to take, the FCC will view this plan as insufficient in reasonably expecting to reduce the origination of illegal robocalls.
When plans are being written, providers must consider ways they can actually reduce these calls, whether it’s contractual terms, termination provisions, network monitoring, or implementing a local Know Your Customer (KYC) policy solution. The FCC has not addressed if they will be proactively reviewing the submitted plans for potential inadequacies, or what would happen if any are found, but they did flag it as a possibility. If the plans are not detailed enough or not having the desired effect, the FCC may review the entire plan’s framework, including through a rule-making.
With only a week left to file a Robocall Mitigation Plan, it’s officially go time!
The infamous June 30th date has resulted in a fair amount of misunderstanding and misconceptions. It is a certification and registration deadline for any provider of voice service to enter accurate and detailed information into the database as part of their implementation status or Robocall Mitigation Plan to the FCC under penalty of perjury.
Come July 1st, voice service providers that have deployed the standards will start signing calls with their according attestation levels. Early on, in the coming years, whether a call is labeled A, B, or C, will not have an impact on the ability of a legitimate enterprise caller to make outbound calls. Service providers are prohibited by FCC rules to block a call based on attestation level alone.
The September 28th deadline that has been softly mentioned, marks the prohibition on accepting traffic from service providers who are not in the database.
As of today (06/23/21) at 10:30 am EST, there are just over 1,600 certifications and registrations in the database, but as we get closer to the deadline, those numbers are likely to increase. Right now, there are 168 providers who have completely implemented STIR/SHAKEN. They don’t have to complete a Robocall Mitigation Plan because they have already deployed the standard. There are almost 900 providers that have either no STIR/SHAKEN implementation, or partial, which means they have implemented and should be following their Robocall Mitigation Plans. There is an N/A category in the database of about 400 intermediate providers. They are not under any current obligation to have a Robocall Mitigation Plan, they have no choice but to deploy the standard so they have been rolled into the database.
When the FCC established the STIR/SHAKEN mandate they realized there were certain voice providers that either couldn’t meet the deadline or could be subject to a reasonable extension for the certification deadline.
The following two categories that qualify for an extension are corner cases.
When those providers register in the database they will be given the opportunity to identify in which of the categories they can avail themselves of an extension. For those implementing a Robocall Mitigation Plan, you must disclose the category in your plan, which extension category you qualify for, and that you are certified to that extension category.
The Robocall Mitigation Database is accessible to the public, where an active listing of all voice service providers that have submitted sufficient filings can be reviewed, and voice service providers may submit their certifications.
As noted while viewing the Robocall Mitigation Database, if you believe there are errors with the content or function of the database, or if you require special assistance with submitting a filing, please email FCC staff at RobocallMitigationDatabase@FCC.gov.
As Wiley notes in this article on Expectations for Voice Service Providers, the filing of a robocall mitigation plan “applies to all voice service providers – not only those granted an extension – who will be required to file robocall certifications with the FCC.” With a special thanks to our friends at Kelley Drye, we recommend taking a look at the following helpful resources for service providers to further dive into the requirements set forth by the FCC to file a robocall mitigation plan:
Podcast: Robocall Mitigation Plans: understand when providers need to implement mitigation programs and what needs to be included. Review recommendations for customizing a program to fit a provider’s needs and how to build a program that is both effective and manageable.
As noted by the FCC, “Call authentication, based on STIR/SHAKEN technological standards, enables voice service providers to verify that the caller ID information transmitted with a call matches the caller’s phone number. Use of these standards will help combat scammers’ use of caller ID spoofing to mask their true identity and trick consumers by appearing to call from local or other trusted numbers. It will also allow law enforcement, the FCC, and industry to more quickly and effectively trace back scam calls to their source.”
The requirement of instituting a Robocall Mitigation Plan, simply put, ensures that we have a united front, across the full spectrum of service providers, large and small, to join together in the fight against illegal robocalls.
Whether it’s full STIR/SHAKEN implementation, or it’s an alternative or partial implementation as accompanied by a Robocall Mitigation Plan, service providers are expected to do their part in authenticating the legitimacy of the originating source of traffic as it relates to the authorized use of the phone numbers being displayed to the end user.
How exactly these authenticated calls will be displayed on the end user device leaves much room for question, but to directly answer the question asked by just about every legitimate business, “will my calls be blocked on July 1 in the aftermath of the June 30 deadline?,” the answer is “no.” Service providers are prohibited by FCC rules to block a call based on attestation level alone.
What and when service providers may choose to block down the line will be defined by STIR/SHAKEN local policy, individual plans outlined with a Robocall Mitigation Plan, or cooperation with the Industry Traceback Group (ITG) to prosecute known bad actors. And when September 28, 2021 rolls around, the FCC has mandated that phone companies must refuse to accept traffic from voice service providers not listed in the Robocall Mitigation Database.
Endeavoring to shed light and bring truth on emerging topics in the communications industry, Numeracle’s CEO and Founder, Rebekah Johnson, alongside our Chief Product Officer, Anis Jaffer, have begun a biweekly live discussion series-turned-podcast, Tuesday Talks. Our latest episode featured Kevin Rupy, Partner at Wiley LLC, and nationally recognized authority on key issues affecting the telecom industry, particularly those relating to legal and illegal robocalls.
To listen in on these and other full episodes of Tuesday Talks, visit https://www.numeracle.com/tuesday-talks, or check out our STIR/SHAKEN Knowledge Center for additional information around the rollout of the STIR/SHAKEN call authentication framework.
2021 will be a busy year for service providers as the industry works to stand up the STIR/SHAKEN call authentication framework in accordance with the FCC’s mandates. Providers should begin immediately to develop implementation strategies suitable for their companies and to establish robocall mitigation programs in compliance with the rules. Please contact us or your regular Kelley Drye contact if you need any assistance or catch Partner, Steve Augustino in our upcoming webinar as part of the SIP Forum’s STIR/SHAKEN Virtual Summit 2021.