Telephone and Texting Compliance News: Regulatory Update — September 2025

FCC Removes Over 1,200 Providers from Robocall Mitigation Database in Compliance Crackdown

In two sweeping moves aimed at reducing the volume of robocalls traversing the nation’s telephone networks, the FCC’s Enforcement Bureau ordered that more than 1,200 voice service providers be removed from its Robocall Mitigation Database (RMD) for deficient RMD filings. These actions effectively disconnect these providers from the US telephone network and are the most aggressive robocall mitigation and enforcement steps taken by the FCC so far under FCC Chairman Brendan Carr.

In its two orders removing the offending providers, the Bureau found that these providers failed to maintain accurate or complete RMD submissions and certifications (August 6 Order and August 25 Order). The RMD is a critical tool used by the FCC to, among other things, ensure compliance with its caller ID authentication standards under the STIR/SHAKEN framework. A provider’s RMD certification is also intended to demonstrate to the FCC that the provider is actively working to prevent illegal robocalls and has implemented robust robocall mitigation measures. The RMD also helps the FCC find and contact providers when they are identified as originating or transmitting illegal call traffic. Downstream providers are not permitted to carry call traffic transmitted by providers that do not have an RMD certification.

The Bureau’s action was not without warning. As we previously reported, in December 2024, the Bureau notified over 2,000 providers that they needed to correct deficiencies in their filings or face removal. The Bureau first made good on this threat on August 6 by removing 185 of those providers for noncompliance. Notably, the Industry Traceback Group had also identified these same providers as having transmitted suspicious traffic in the past and failed to respond to traceback requests. The Bureau continued its efforts to combat robocalling on August 25, when it removed an additional 1,200 providers with deficient filings.

These two actions demonstrate the FCC’s commitment to enforcing these rules. In announcing these orders, Chairman Carr emphasized this commitment and the importance of the RMD in protecting American consumers, stating:

Robocalls are an all-too-common frustration — and threat — to American households. The FCC is doing everything in its power to fight back against these malicious and illegal calls. Providers that fail to do their duty when it comes to stopping these calls have no place in our networks. We’re taking action and we will continue to do so.

The providers will only be allowed to refile in the RMD with prior approval from the FCC’s Enforcement and Wireline Competition Bureaus to ensure that only compliant carriers regain access to the network. Unless and until any of these providers are permitted to refile in the RMD, no US-based voice service, intermediate, or gateway provider may carry traffic from any of the entities listed in the above-linked orders.

Third-Party Call Authentication Rules Effective September 18, 2025

On August 19, the FCC announced that its new third-party caller ID authentication obligations will take effect on September 18, 2025. As we reported in November 2024, these rules were adopted in the Eighth Caller ID Authentication Report and Order, representing another step in the FCC’s efforts to strengthen the STIR/SHAKEN framework and reduce the number of spoofed and fraudulent phone calls.

Under the new rules, all voice service providers subject to the FCC’s STIR/SHAKEN implementation obligations (including originating, intermediate, terminating, and gateway providers) must ensure that all calls are signed using their own digital certificates, not those of a third party. While these providers may still utilize third-party authentication, they must retain control over the attestation decisions and use a certificate tied to their own Service Provider Code (SPC) token. Providers that do not control the infrastructure necessary to implement STIR/SHAKEN — such as resellers and Mobile Virtual Network Operators — are exempt from the requirement to obtain their own SPC token.

To comply with the new rules, affected providers must (1) obtain an SPC token and digital certificate; (2) sign calls using their certificate; and (3) update their RMD filings to certify to partial or complete STIR/SHAKEN implementation. In addition, providers relying on third-party authentication platforms must formalize these arrangements through written contracts that meet FCC standards, and maintain records of these agreements.

Subscribe To Viewpoints