Latest FCC Move Against Robocalls Would Increase Caller ID Authentication, Other Requirements
Privacy in Focus®
On September 30, 2020, the Federal Communications Commission (FCC or Commission) will vote on a draft Second Report and Order (Draft Order) as part of the Commission’s ongoing efforts to combat illegal spoofing and stop illegal and unwanted robocalls. The Draft Order, if adopted, would significantly impact voice service providers across the ecosystem. This latest item further implements STIR/SHAKEN, the industry-led caller ID authentication framework that was mandated by the Commission in March, pursuant to the TRACED Act. Among other things, the item would establish rules on caller ID authentication in non-IP networks, establish frameworks for exemptions from and extensions of the June 30, 2021 STIR/SHAKEN mandate deadline, impose obligations on intermediate providers, and create a new registration framework for all voice service providers.
Stakeholders in the voice service and robocall mitigation ecosystem – including voice service providers, analytics engines, and call originators, among others – have until September 23, 2020 to weigh in on the Draft Order. Below is a brief summary of this proceeding’s background, as well as the key elements of the Draft Order. For a full summary or to engage on any of these issues, do not hesitate to reach out to a member of our team.
As background, late last year, the President signed into law the Pallone-Thune TRACED Act (TRACED Act or TRACED), a bill focusing on fighting illegal and unwanted robocalls. The TRACED Act, among other things, requires a raft of regulatory proceedings and actions from the FCC in a relatively short amount of time, meaning that stakeholders can expect to see a steady stream of robocall-mitigation efforts coming from the Commission throughout (and beyond) this year. The recently adopted Caller ID Authentication Mandate Order requires that “all voice service providers implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (IP) portions of their networks by June 30, 2021.” ¶ 3.
STIR/SHAKEN was a centerpiece of the TRACED Act, but it is just one of many regulatory proceedings and actions that TRACED set in motion. Beyond this caller ID authentication proceeding, the Commission, as well as industry stakeholders, has been very busy implementing TRACED this year.
Establishing Rules for Caller ID Authentication in Non-IP Networks
The Draft Order, if adopted, would “interpret the TRACED Act’s requirement that a voice service provider take ‘reasonable measures’ to implement an effective caller ID authentication framework in the non-IP portions of its network as being satisfied only if the voice service provider is actively working to implement a caller ID authentication framework on those portions of its network.” ¶ 24. The Draft Order identifies two interpretations for what constitutes “reasonable measures.” Specifically, a voice service provider would satisfy that obligation by either (1) completely upgrading its non-IP networks to IP and implementing the STIR/SHAKEN authentication framework on its entire network, or (2) working to develop a non-IP authentication solution. The Draft Order focuses most of its analysis on the second prong of the “reasonable measures” standard addressing the development of a non-IP authentication solution. ¶¶ 25-32. A voice service provider would satisfy the obligation if it participates in an effort to develop a non-IP authentication solution either directly, or through a third-party representative, such as a trade association of which it is a member or vendor. ¶¶ 26- 27. The Commission writes that this “firm but flexible approach” will permit voice service providers to actively work on developing a solution, and that “any related compliance costs will be quite limited.” ¶ 27.
In the Draft Order, the Commission plans to reject the request by the Alliance for Telecommunications Industry Solutions (ATIS) to delay adopting rules until the joint ATIS/SIP Forum IP-NNI Task Force concludes its work, and a separate proposal to mandate out-of-band STIR. ¶¶ 28, 31. The Draft Order would also consider a non-IP caller ID authentication framework to be effective only if it is: (1) fully developed and finalized by industry standards; and (2) reasonably available such that the underlying equipment and software necessary to implement such protocol is available on the commercial market. ¶ 32.
Establishing Rules for the Extension of Implementation Deadlines
The Draft Order notes that the TRACED Act includes two provisions for extension of the June 30, 2021 implementation date for caller ID authentication frameworks. First, it permits the FCC to delay compliance for a “reasonable period of time,” based upon a public finding of “undue hardship.” Second, it requires the FCC to grant a delay to the extent that “a provider or class of providers of voice services, or type of voice calls, materially relies on a non-[IP] network for the provision of such service or calls” “until a call authentication protocol has been developed for calls developed over non-[IP] networks and is reasonably available.” ¶ 36 (alteration in original).
Under either extension provision, an extension may be provider-specific or apply to a “class of providers of voice service, or type of voice calls,” and the FCC must also annually reevaluate any granted extension for compliance. ¶ 37. Based on these directives, the Draft Order would grant the following extensions from the June 30, 2021 caller ID authentication implementation deadline:
- a two-year extension to small, including small rural, voice service providers (the Draft Order would define “small voice service providers” as those with 100,000 or fewer voice subscriber lines) ¶ 40;
- an extension to voice service providers that cannot obtain a certificate due to the Governance Authority’s token access policy until such provider is able to obtain a certificate;
- a one-year extension to services scheduled for Section 214 discontinuance; and
- an extension for the parts of a voice service provider’s network that rely on technology that cannot initiate, maintain, and terminate SIP calls until a solution for such calls is reasonably available. ¶ 38.
For various reasons, the Draft Order would also decline to provide extensions for a broad range of discrete entities. These include voice service providers that use time-division multiplexing (TDM) (¶¶ 51-52) and rural voice service providers that do not meet the “small” threshold (¶¶ 53-55). The Draft Order generally concludes that extensions for these categories of providers would be superfluous and unnecessary, respectively. Similarly, the Draft Order would conclude that extensions for enterprise calls and intra-network calls would be counterproductive. ¶¶ 57-63.
Provider-Specific Extension Requests Would Be Due November 20, 2020
The Draft Order would also establish a framework for individual providers to petition the FCC to request an extension of the implementation deadline. ¶ 64. The FCC’s Wireline Competition Bureau (Bureau) would be directed to seek comment on any such petitions and to issue an order determining whether to grant the voice service provider an extension. Petitions would be due by November 20, 2020, and the Bureau would be required to issue a decision no later than March 30, 2021. The Draft Order would require petitioners to demonstrate “in detail the specific undue hardships, including financial and resource constraints, that it has experienced and explain why those pose an undue hardship to STIR/SHAKEN implementation within the timeline required by Congress.” ¶ 64.
The Draft Order would also direct the Bureau to reevaluate the extensions established annually, and to revise or extend them as necessary. ¶ 70. The Bureau would be permitted to decrease, but not to expand, the scope of entities that are entitled to a class-based extension based on its assessment of burdens and barriers to implementation. ¶ 71. The Bureau would also concurrently assess burdens and barriers to implementation faced by those categories of voice service providers subject to an extension when it reviews those extensions on an annual basis. ¶ 72.
Establishment of Robocall Mitigation Programs
Under the Draft Order, any voice service provider that has been granted an extension of the implementation deadline, during the time of the extension, would be required to establish an appropriate robocall mitigation program to prevent unlawful robocalls from originating on the network of the provider. ¶ 74. The Draft Order details the requirements for any robocall mitigation program. ¶¶ 75-79. The FCC would generally take a “non-prescriptive approach” to any requirements (¶ 75), although voice service providers subject to an extension would be required “to document and publicly certify how they are complying with these requirements.” ¶ 76. A robocall mitigation program would be deemed sufficient if the voice service provider: (1) includes detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls; (2) complies with the practices it describes; and (3) participates in industry traceback efforts. ¶¶ 77-78. The Draft Order would also enable the FCC’s Enforcement Bureau to impose on a voice service provider more prescriptive measures where its robocall mitigation program is deemed insufficient. ¶ 80.
Importantly, the Draft Order would also create a certification process and database to aid in enforcement efforts. It would require all voice service providers – not only those granted an extension – to file certifications with the FCC. Each voice service provider would need to certify that their traffic is either signed with STIR/SHAKEN or subject to a robocall mitigation program. ¶ 81. The Wireline Bureau is directed to establish the portal and database, provide filing instructions and training materials, and release a Public Notice when voice service providers may begin filing certifications. The Public Notice must be released no earlier than March 30, 2021, and certifications must be filed no earlier than June 30, 2021. ¶ 82. The Draft Order would also prohibit intermediate providers and terminating voice service providers from accepting voice traffic directly from any voice service provider that does not appear in the database, including a foreign voice service provider using NANP resources. ¶¶ 85-89.
Voluntary STIR/SHAKEN Implementation Exemption
The Draft Order would also establish a framework for implementing the TRACED Act’s exemption from the call authentication framework mandate for voice providers that can demonstrate they will be capable of fully implementing an authentication framework no later than June 30, 2021. ¶¶ 96-120. It outlines two exemptions – one for IP networks and one for non-IP networks – each of which would have differing thresholds for receiving the exemption. For IP networks, the Draft Order would establish four substantive prongs that must be satisfied to be exempt from the STIR/SHAKEN mandate (¶¶ 100-108), while non-IP networks would be subject to two criteria. ¶¶ 109-111. The Draft Order, however, anticipates that in the non-IP context “few if any voice service providers will seek to take advantage of this exemption” due to the difficulties in fully implementing an effective caller ID authentication framework by June 30, 2021. ¶ 109.
The Draft Order would establish a compliance certification framework for voice providers seeking either of the exemptions. ¶¶ 112-119. Each voice service provider that seeks to qualify for either exemption, or both, would be required to have an officer of the company sign a compliance certificate stating under penalty of perjury that the officer has personal knowledge that the company meets each of the stated criteria. ¶ 112. Initial certification would be due by December 1, 2020; additionally, voice service providers that receive an exemption would also be required to file a second certification after June 30, 2021, stating whether they have achieved the implementation goal. ¶ 116. The exemption process would apply only to voice service providers and would exclude intermediate providers. ¶ 120.
Line Item Charges Prohibited; Cost Recovery Permitted
Consistent with the requirements of the TRACED Act, and as proposed by the FCC, the Draft Order would also prohibit voice service providers from imposing additional line item charges on consumer or small business subscribers for caller ID authentication. ¶¶ 122-126. The FCC, however, would decline to prohibit voice service providers from recouping costs of caller ID authentication and “other robocall mitigation solutions entirely.” ¶ 123.
Caller-ID Obligations for Intermediate Providers
The Draft Order would also extend obligations onto intermediate providers, including a STIR/SHAKEN implementation mandate. ¶¶ 127-150. Notably, the Draft Order would expressly exclude intermediate providers from requesting an extension of the June 30, 2021, implementation deadline. ¶ 66, n. 259. This exclusion is due to the fact that the TRACED Act’s extension provisions apply only to providers that originate and/or terminate calls.
Regarding implementation, the Draft Order would establish obligations on intermediate providers for both authenticated and unauthenticated calls. For authenticated calls, intermediate providers would be required to pass any identity header information unaltered, with narrow exceptions for technical and security reasons. ¶¶ 128-134. For unauthenticated calls, intermediate providers would be required to either authenticate the call consistent with industry standards or participate in the industry traceback consortium as an alternative option for compliance. ¶¶ 135-142. These obligations are generally limited to IP calls. ¶¶ 143-145. Finally, the Draft Order would define “intermediate provider” as “any entity that carries or processes traffic that traverses or will traverse the [PSTN] at any point insofar as that entity neither originates nor terminates that traffic.” ¶ 146 (quoting 47 C.F.R. § 64.1600(i)). Consistent with its previous STIR/SHAKEN orders, the FCC would also assess the definition of “intermediate provider” on a call-by-call basis for the purpose of its call authentication rules. A single entity therefore may act as a voice service provider for some calls on its network and an intermediate provider for others. ¶ 146.
The regulatory landscape applicable to voice and text services is dynamic and changing in response to consumer and congressional pressure. The FCC and Federal Trade Commission have been expanding their oversight and broadening regulatory obligations across the private sector, while also bringing enforcement actions. App developers, service providers, analytics engines, and others should heed the Commission’s actions and prepare for more.
For more information about the various proceedings and deadlines launched under the Pallone-Thune TRACED Act, or any of the many proceedings in this area, please reach out to a member of our team. We have a deep and experienced robocalling and robotexting bench. Our experts handle federal and state policy issues; compliance with federal and state requirements; complex TCPA issues, including political and charitable outreach; and TCPA enforcement actions and investigations.
© 2020 Wiley Rein LLP