Telephone and Texting Compliance News: Regulatory Update — FCC Extends STIR/SHAKEN Mandate to Intermediate Providers
As part of its Sixth Caller ID Authentication Report and Order (“Report and Order”) seeking to address unlawful robocalling and caller ID spoofing, the Federal Communications Commission (“Commission”) adopted new rules extending the requirement for the first (non-gateway) intermediate provider in the path of an unauthenticated (Session Initiation Protocol) SIP call to authenticate the call, regardless of the provider’s traceback obligations. This obligation will require intermediate providers to either upgrade their networks and implement STIR/SHAKEN or participate as a member of a working group, industry-standards group, or consortium working to develop a non-IP caller ID authentication solution. Intermediate providers must comply with the new mandate by December 31, 2023.
In addition to STIR/SHAKEN obligations, the Commission also extended several Robocall Mitigation Database (“RMD”) filing requirements to all providers regardless of their STIR/SHAKEN implementation status. In particular, the Report and Order requires all providers, including intermediate and voice service providers that have fully implemented STIR/SHAKEN, to take “reasonable steps to mitigate illegal robocalls” and file certifications along with robocall mitigation plans in the RMD.
In her statement adopting the Report and Order, Chairwoman Rosenworcel noted that the Report and Order would close “loopholes” that bad actors use to advance new schemes, saying “[t]oday we shut down a gap we found in our policies, demonstrating that we can be even more nimble than the bad actors responsible for these junk calls.” Commissioner Starks echoed the Chairwoman’s sentiments and praised the “accountability” the new rules would bring, especially in combination with the strengthened enforcement authorities, stating, “Ultimately, we’ve made good progress blunting the growth of robocalls, and I’m confident that these new requirements, and our significant and real improvements to our enforcement capabilities, will continue the trend.”
“Reasonable Steps” Standard Applied to All Providers
The Report and Order expands the general mitigation standard to all providers. This means that all providers, including those providers that have implemented STIR/SHAKEN, must adhere to detailed robocall mitigation practices that can reasonably be expected to significantly reduce the processing or origination of illegal traffic. Providers newly covered by this obligation will be required to begin meeting the general mitigation standard within 60 days after the Report and Order is published in the Federal Register.
Expanded RMD Filing Obligations
The Report and Order also requires all providers to file a robocall mitigation plan along with a certification in the RMD. Under the new rules, a provider’s robocall mitigation plan must include the following items:
- A description of the specific “reasonable steps” the provider has taken to avoid processing illegal call traffic;
- A description of how the provider is meeting its “know-your-customer” obligations;
- For non-gateway intermediate providers, a description of the provider’s “know-your-upstream-provider” procedures;
- A description of any call analytics systems (including third-party vendors) the provider uses to mitigate or block illegal traffic; and
- A description of any contractual provisions with end-users or upstream providers the provider uses to comply with its know-your-customer or upstream-provider obligations.
Likewise, the Report and Order requires additional, new information in a provider’s RMD certification. Thus, a complete certification must now include statements of the following:
- Whether the provider has fully, partially, or not implemented STIR/SHAKEN on the IP portions of its network;
- The provider’s business name and primary address;
- Other business name(s) in use by the provider;
- All business names previously used by the provider;
- Whether the provider is a foreign provider;
- The name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation–related issues;
- Identification of the provider’s role(s) in the call chain;
- Whether an applicable STIR/SHAKEN exemption or extension applies (noting the specific rule under which it was granted) and an explanation of why the exemption/extension applies to the provider;
- Whether they have not been barred from the RMD due to any law enforcement or Commission action; and
- Whether they are subject to any Commission, law enforcement, or other regulatory agency action or investigation due to suspected unlawful robocalling or spoofing.
Filers newly subject to the obligations in the Report and Order and existing filers with new or modified obligations must file or amend their robocall mitigation plans and RMD certifications by the later of 30 days following publication of the Office of Management and Budget approval of the new filing requirements in the Federal Register, or any deadline set by the Commission’s Wireline Competition Bureau through a Public Notice.
Non-gateway intermediate providers will also be prohibited from accepting traffic from any provider not listed in the RMD beginning 90 days from the compliance deadline established for the RMD filing obligations outlined above.
Additional Enforcement Authority
The Report and Order provides the Commission’s Enforcement Bureau with several new tools to use against robocallers. Specifically, the Enforcement Bureau may now (1) impose forfeitures on a per-call basis for a provider’s failure to block traffic pursuant to the Commission’s robocall blocking requirements; (2) remove non-gateway intermediate providers from the RMD for deficient RMD filings or negligently carrying illegal call traffic; and (3) revoke a provider’s Section 214 authorization (or any other Commission authorization if the provider is not a common carrier) for continued violations of the rules.
The Report and Order also establishes an expedited removal process for “facially deficient” RMD filings. Under the new rules, the Enforcement Bureau is allowed to remove a provider from the RMD on an expedited basis where the provider willfully fails to submit a robocall mitigation plan with information regarding the specific reasonable steps it is taking to mitigate unlawful traffic or is non-responsive to Commission request for information. Expedited removal is a two-step process whereby the Enforcement Bureau would notify a provider that its RMD submission was facially deficient. The provider would then have 10 days to respond and cure the deficiency. If the provider failed to do either or show that there was no deficiency, the Enforcement Bureau would then issue an order removing the provider from the RMD. This would mean downstream providers would no longer be permitted to carry that provider’s traffic.