FCC Unanimously Agrees to Increase Caller ID Authentication, Other Requirements
On September 30, 2020, the Federal Communications Commission (FCC or Commission) unanimously adopted a Second Report and Order (Order) as part of the Commission’s ongoing efforts to combat illegal spoofing and stop illegal and unwanted robocalls. This latest item further implements STIR/SHAKEN, the industry-led caller ID authentication framework that was mandated by the Commission in March, pursuant to the Pallone-Thune TRACED Act (TRACED Act or TRACED). The Order is largely consistent with the draft circulated in early September, with some notable changes which are discussed below.
The rules established under the Order will significantly impact voice service providers across the ecosystem, including originating and terminating voice service providers, intermediate providers, and foreign voice service providers. Among other things, the item:
- establishes obligations related to caller ID authentication in non-IP networks;
- establishes frameworks for exemptions from and extensions of the June 30, 2021 STIR/SHAKEN mandate deadline;
- establishes a robocall mitigation program requirement (which includes a traceback requirement) for any voice service provider that is subject to a STIR/SHAKEN deadline extension;
- creates a new registration and certification framework for all voice service providers;
- prohibits intermediate and terminating providers from accepting traffic from providers that are not in compliance with the new registration and certification framework; and
- imposes new STIR/SHAKEN (and in some cases traceback) obligations on intermediate providers.
Accordingly, all stakeholders across the voice service ecosystem should pay close attention, especially to filing and certification requirements that are on the horizon.
Below is a brief summary of the key elements of the Order. For a full summary, including a matrix of the new obligations and upcoming deadlines, do not hesitate to reach out to a member of our team.
Obligations for Developing Non-IP Caller ID Authentication Solutions.
The Order interprets the TRACED Act’s requirement that a “voice service provider take ‘reasonable measures’ to implement an effective caller ID authentication framework in the non-IP portions of its network as being satisfied only if the voice service provider is actively working to implement a caller ID authentication framework on those portions of its network.” ¶ 24. The Order identifies two ways a voice service provider can satisfy the “reasonable measures” obligation: (1) by completely upgrading its non-IP networks to IP and implementing the STIR/SHAKEN authentication framework on its entire network, or (2) by working to develop a non-IP authentication solution. A voice service provider will satisfy the second option—working to develop a non-IP solution—if it participates in an effort to develop or actively test a non-IP authentication solution either directly, or through a third-party representative, such as a trade association of which it is a member or vendor. ¶¶ 25-27. The Commission writes that this “firm but flexible approach” will permit voice service providers to actively work on developing a solution, and that “any related compliance costs will be quite limited.” ¶ 27.
Notably, the Commission rejects a separate proposal to mandate out-of-band STIR. ¶31. The Order also explains that a non-IP caller ID authentication framework will be considered to be effective only if it is: (1) fully developed and finalized by industry standards; and (2) reasonably available such that the underlying equipment and software necessary to implement such protocol is available on the commercial market. ¶ 32.
Extensions of the June 30, 2021 STIR/SHAKEN Implementation Deadline.
The TRACED Act includes two provisions for extension of the June 30, 2021 implementation date for caller ID authentication frameworks. First, the FCC can delay compliance for a “reasonable period of time,” based upon a public finding of “undue hardship.” Second, the FCC can grant a delay to the extent that “a provider or class of providers of voice services, or type of voice calls, materially relies on a non-[IP] network for the provision of such service or calls . . . until a call authentication protocol has been developed for calls developed over non-[IP] networks and is reasonably available.” ¶ 36 (alteration in original). Under either extension provision, an extension may be provider-specific or apply to a “class of providers of voice service, or type of voice calls,” and the FCC must also annually reevaluate any granted extension for compliance. ¶ 37.
With this Order, the Commission implements these directives and grants the following class-based extensions from the June 30, 2021 caller ID authentication implementation deadline:
- a two-year extension to small, including small rural, voice service providers (the Order defines “small voice service providers,” as those with 100,000 or fewer voice subscriber lines), ¶ 40;
- an extension to voice service providers that cannot obtain the certificates necessary to participate in STIR/SHAKEN due to the Governance Authority’s token access policy until such provider is able to obtain such certificates;
- a one-year extension for services subject to a pending application (filed by June 30, 2021) for section 214 discontinuance; and
- a continuing extension for the parts of a voice service provider’s network that rely on technology that cannot initiate, maintain, and terminate SIP calls until a solution for such calls is “reasonably available.” ¶ 39.
The Order also establishes a framework for individual, provider-specific extensions. Specifically, individual providers that need extensions, beyond the class-based extensions described above, must petition the FCC. ¶ 65. In a change from the Draft Order, the FCC “expects” petitions by November 20, 2020, although parties seeking additional extensions after this date are free to seek a waiver of the deadline under section 1.3 of the FCC’s rules. Even though this clarification from the Draft Order provides some flexibility, the Commission warns that it “will not look favorably on requests that rely on facts that could have been presented to the Commission prior to November 20, 2020 with reasonable diligence.” ¶ 65, n.255. The FCC’s Wireline Competition Bureau (Bureau) is directed to seek comment on any such petitions and to issue an order determining whether to grant the voice service provider an extension no later than March 30, 2021. The Order requires petitioners to demonstrate “in detail the specific undue hardships, including financial and resource constraints, that it has experienced and explain why any challenges it faces meet the high standard of undue hardship to STIR/SHAKEN implementation within the timeline required by Congress.” ¶ 65.
For various reasons, the Order declines to provide class-based extensions, including extensions for voice service providers that use time-division multiplexing (TDM), rural voice service providers that do not meet the “small” threshold, voice service providers facing equipment availability issues, enterprise calls, and intra-network calls. ¶¶ 52-64. The Order also declines at this time to grant individual extensions, but as discussed above, established a framework for providers to seek such extensions. ¶ 65.
The Bureau must reevaluate the extensions established annually, and revise or extend them as necessary. ¶ 71. The Bureau is permitted to decrease, but not to expand, the scope of entities that are entitled to a class-based extension based on its assessment of burdens and barriers to implementation. ¶ 72. Importantly, the Order clarifies that the Bureau cannot terminate an extension “prior to the extension’s originally set or newly extended end date.” ¶ 72. The Bureau will also concurrently assess burdens and barriers to implementation faced by those categories of voice service providers subject to an extension when it reviews those extensions on an annual basis. ¶ 73.
Requirement to Implement Robocall Mitigation Programs for Certain Providers.
The new robocall mitigation program requirement applies to any voice service provider that has been granted an extension of the June 30, 2021 STIR/SHAKEN implementation deadline.
Specifically, those voice service providers, during the time of the extension, must implement an appropriate robocall mitigation program to prevent unlawful robocalls from originating on the network of the provider. ¶ 74. Notably, the FCC declined to expand this requirement to all voice service providers, regardless of whether they implement STIR/SHAKEN in their networks, as various parties had advocated for while the Draft Order was under consideration. ¶ 75.
The Order details the requirements for any robocall mitigation program, highlighting that it is generally taking a “non-prescriptive approach.” ¶¶ 76-80. Robocall mitigation programs will be deemed sufficient if the voice service provider: (1) includes detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls, (2) complies with the practices it describes, and (3) participates in industry traceback efforts. ¶¶ 78-79. Further, a voice service provider subject to the requirement must “document and publicly certify how they are complying.” ¶ 77. The Order enables the FCC’s Enforcement Bureau to impose on a voice service provider more prescriptive measures where its robocall mitigation program is deemed insufficient. ¶ 81.
Certification Requirement for All Voice Service Providers.
Importantly, the Order also creates a certification process and database to aid in enforcement efforts. It requires that all voice service providers—not only those granted an extension—file certifications with the FCC. Each voice service provider will need to certify that their traffic is either signed with STIR/SHAKEN or subject to a robocall mitigation program. ¶ 82. The Wireline Competition Bureau will establish the portal and database, provide filing instructions and training materials, and release a Public Notice when voice service providers may begin filing certifications. The Public Notice must be released no earlier than March 30, 2021, and the deadline for filing certifications will be no earlier than June 30, 2021. ¶ 83.
Prohibition on Accepting Traffic from Providers that Do Not Certify.
Flowing from the new certification requirement, the Order prohibits intermediate providers and terminating voice service providers from accepting voice traffic directly from any voice service provider that does not appear in the new database, including an intermediate provider (whose information will be ported into the new database from the Intermediate Provider Registry), and a foreign voice service provider using the North American Numbering Plan (NANP) resources. ¶¶ 86-94.
Voluntary STIR/SHAKEN Implementation Exemption.
Next, the Order establishes a process for implementing the TRACED Act’s exemption from the call authentication mandate for voice providers that can demonstrate they will be capable of fully implementing an authentication framework no later than June 30, 2021. ¶¶ 101-125. It outlines two exemptions—one for IP networks and one for non-IP networks—each of which have differing thresholds for receiving the exemption.
For IP networks, the Order establishes four substantive prongs that must be satisfied to be exempt from the STIR/SHAKEN mandate. ¶¶ 106-113. For non-IP networks, there are two criteria. ¶¶ 114-116. The Commission, however, anticipates that in the non-IP context “few if any voice service providers will seek to take advantage of this exemption” due to the difficulties in fully implementing an effective caller ID authentication framework by June 30, 2021. ¶ 114.
Voice providers seeking either of the exemptions must have an officer of the company sign a compliance certificate stating under penalty of perjury that the officer has personal knowledge that the company meets each of the stated criteria. ¶ 118. Initial certifications are due December 1, 2020, and the Bureau will issue a list of the entities that will receive the exemption by December 30, 2020. ¶ 119. If a provider files an inadequate initial certification, there will be no opportunity to cure. ¶ 120. Additionally, voice service providers that receive an exemption are required to file a second certification after June 30, 2021, stating whether they have achieved the implementation goal. ¶ 121.
Prohibition on Line Item Charges, But Not Cost Recovery.
Consistent with the requirements of the TRACED Act, and as previously proposed by the Commission, the Order prohibits voice service providers from imposing additional line item charges on consumer or small business subscribers for caller ID authentication. ¶¶ 126-131. The Commission, however, declines to prohibit voice service providers from recouping costs of caller ID authentication and “other robocall mitigation solutions entirely.” ¶ 128.
STIR/SHAKEN Obligations for Intermediate Providers.
Finally, the Order imposes new obligations onto intermediate providers, including a STIR/SHAKEN implementation mandate. ¶¶ 132-155. Notably, the Order expressly excludes intermediate providers from requesting an extension of the June 30, 2021 implementation deadline. ¶ 67, n.265. The Order also makes clear that the exemption process applies only to voice service providers and not to intermediate providers. ¶ 125.
Regarding implementation, the Order establishes obligations on intermediate providers for both authenticated and unauthenticated calls. For authenticated calls, intermediate providers are required to pass any identity header information unaltered, with narrow exceptions for technical and security reasons. ¶¶ 133-139. For unauthenticated calls, intermediate providers are required to either authenticate the call consistent with industry standards or participate in the industry traceback consortium as an alternative option for compliance. ¶¶ 140-148. These obligations are generally limited to IP calls. ¶¶ 148-150.
The regulatory landscape applicable to voice and text services is dynamic and changing in response to consumer and congressional pressure. The Federal Communications Commission and Federal Trade Commission have been expanding their oversight and broadening regulatory obligations across the private sector, while also bringing enforcement actions. App developers, service providers, analytics engines, and others should heed the Commission’s actions and prepare for more.
For more information about the various proceedings and deadlines launched under the Pallone-Thune TRACED Act, or any of the many proceedings in this area, please reach out to a member of our team. We have a deep and experienced robocalling and robotexting bench. Our experts handle federal and state policy issues; compliance with federal and state requirements; complex TCPA issues, including political and charitable outreach; and TCPA enforcement actions and investigations.