New Robocall Mitigation Obligations and Filing Deadlines for Voice Service Providers and Gateway Providers
2022 was a momentous year in the robocall mitigation space—with major developments coming from industry and government. One major update coming out of the Federal Communications Commission (FCC or Commission) was the adoption of the May 19, 2022 Report and Order, Order on Reconsideration, Order, and Further Notice of Proposed Rulemaking (Order), which imposed significantly expanded robocall mitigation obligations on so-called “gateway providers,” which are the entry points for foreign calls into the United States, and new “chain of trust” requirements on all voice service and intermediate providers.
Under the Order, several new obligations and filing deadlines will become effective this month and early next year. Below, we provide some additional background and information on the new obligations and filing deadlines that all providers should be aware of.
Providers Have a Variety of New Obligations
Overall, and as discussed in more detail in our summary of the item, the Order took steps to require gateway providers to play a more active role in the fight against illegal robocalls originating from overseas. Among other requirements, under the new Order, gateway providers must:
- apply STIR/SHAKEN caller-ID to all Session Initiation Protocol (SIP) calls carrying a U.S. number;
- submit certifications and mitigation plans to the Robocall Mitigation Database (RMD);
- respond to traceback requests from the traceback consortium within 24 hours;
- block calls based on a reasonable do-not-originate (DNO) list; and
- incorporate “know your upstream provider” requirements into their mitigation plans.
Additionally, the Order expanded the “chain of trust” requirements for all voice service providers and intermediate providers, as they relate to gateway providers. Gateway Providers are required to submit a certification and mitigation plan to the RMD, and intermediate providers and voice service providers will be prohibited from accepting traffic from gateway providers not listed in the RMD beginning next year.
Newly Announced Effective Dates and Filing Deadlines Are on the Horizon
On Monday, December 12, 2022, the FCC’s Wireline Competition Bureau (Bureau) issued a Public Notice announcing the effective dates and filing requirements associated with some of the new obligations, following recent Office of Management and Budget approval. The Bureau’s Public Notice outlines various deadlines for the implementation of gateway provider robocall mitigation requirements, additional voice service provider compliance dates, and filing instructions, among other things. These requirements—and other forthcoming deadlines—are briefly summarized below.
- DNO List Blocking. By December 19, 2022, gateway providers must block calls based on any reasonable do-not-originate (DNO) list. Gateway providers are permitted to use any reasonable DNO list, which contains a list of numbers that should never be used to originate calls. The FCC declined to mandate the use of a specific list but will permit gateway providers to use any DNO list so long as the list is reasonable.
- Gateway Provider RMD Certification and Mitigation Plans. By January 11, 2023, gateway providers must submit a certification and mitigation plan to the RMD. Such plans must include: (1) know your upstream provider provisions that contain reasonable steps to avoid carrying or processing illegal robocall traffic; (2) a commitment to respond fully and within 24 hours to all traceback requests from the FCC, law enforcement, and the industry traceback consortium; and (3) a commitment to cooperate with such entities in investigating and stopping any illegal robocallers that use the gateway provider’s service to carry or process calls.
The Bureau emphasizes that to the extent a gateway provider filing was imported into the RMD via the Intermediate Provider Registry, that RMD entry is insufficient to meet the gateway provider’s affirmative obligation to submit a certification to the RMD. The Public Notice also includes filing instructions for providers that act as both a gateway provider and a voice service provider. Such providers will have the opportunity to indicate on the submission form that they are certifying as both a gateway provider and a voice service provider, and will be presented with two sets of certification options—one set containing the required certifications for gateway providers and one set containing the required certifications for voice service providers. The Public Notice also includes a link to the FCC’s updated RMD filing instructions, which incorporate specific guidance for gateway providers.
- Know Your Upstream Provider Requirements. Also beginning in January 2023, gateway providers are required to follow new “know your upstream provider” rules, which require them to “take reasonable and effective steps” to ensure that their upstream foreign provider is not using the gateway provider to process a high volume of illegal traffic. While the rule states that this requirement will begin January 16, 2023; the RMD certification and mitigation plan requirement discussed above—which will be effective January 11, 2023—requires gateway providers to describe "how [they have] complied with the know-your-upstream provider requirement.
- Blocking of Gateway Providers Not Listed in RMD. Beginning April 11, 2023, all providers—including intermediate providers and voice service providers—will be prohibited from accepting traffic from gateway providers not listed in the RMD. To assist providers in making blocking determinations, the FCC added new columns in the RMD that will enable providers to differentiate between affirmative gateway provider filings and imported gateway provider filings when making blocking determinations.
- Blocking Foreign Providers Not Listed in RMD. Also beginning April 11, 2023, all providers—including voice service providers and intermediate providers—may only accept calls from a foreign provider if the foreign voice service providers and foreign intermediate providers are registered in the RMD. The rule only relates to foreign providers that use North American Numbering Plan resources that pertain to the United States in the caller ID field to send voice traffic to residential or business subscribers in the United States.
The Bureau’s Public Notice also provides further clarification to foreign voice service providers and foreign intermediate providers registering in the RMD. Specifically, to the extent that foreign providers face bona fide foreign legal constraints that conflict with any of the certifications or attestations required of RMD filers, such foreign providers should explain any such legal constraints in their robocall mitigation program description. The Public Notice also provides guidance to foreign providers that have fully or partially deployed the STIR/SHAKEN standard.
- Implementing STIR/SHAKEN for Gateway Providers. By June 30, 2023, gateway providers must also implement the STIR/SHAKEN framework within their networks and authenticate SIP calls carrying a U.S. number in the caller ID field. Consistent with the FCC’s initial order establishing the STIR/SHAKEN framework, gateway providers can satisfy the requirements by adhering to three ATIS standards: ATIS-1000074, ATIS-1000080, and ATIS-1000084. To the extent a gateway provider cannot deploy the standard due to some, or all, of its network being non-IP, they must certify to that status.
In sum, there are rapidly approaching compliance deadlines associated with the FCC’s new obligations under the Gateway Provider Order, which will impact a broad range of foreign and domestic entities, including voice service providers, intermediate providers, and gateway providers. Many of these deadlines are fast approaching, and all providers must be prepared to comply with the FCC’s new requirements.
We have a deep and experienced robocalling bench, and our experts handle federal and state policy issues, compliance with federal and state requirements, and complex TCPA issues. For more information about the gateway provider obligations, please contact one of the authors listed on this alert.