Best practices for call authentication

The FCC asked the Call Authentication Trust Anchor (CATA) working group to recommend best practices for the implementation of call authentication. The TRACED Act required this step. The CATA has recently issued a report with proposed best practices. Here’s a summary overview.

The FCC published a public notice on October 1, 2020 asking for comments on these proposed best practices by October 16, 2020.

Summary of proposed best practices

The CATA working group proposed best practices in the following areas:

1. Subscriber vetting
2. Telephone number validation
3. A-level attestation
4. B- and C-level attestation
5. Third-party validation services
6. International call originators using NANP numbers
7. Ongoing robocall mitigation

1. Subscriber vetting

The best practices document defines a few terms to discuss best practices for subscriber vetting:

Customer — the entity that purchased services, including the right to use a telephone number. This could be a person, enterprise, reseller, or value-added service provider.

End user — the entity using the service, such as initiating calls from the issued number.

Direct relationship — the customer and the end user are the same.

Indirect relationship — the customer and the end user are different.

Best practices distinguish between a direct and an indirect relationship between the originating service provider and the end user that initiates a call.

When there’s a direct relationship between the originating service provider and the end user, the normal retail practices of signing up the customer are sufficient to vet the customer/end user.

When there’s an indirect relationship between the originating service provider and the end user, best practices include the collection of additional information suitable for the nature of the relationship. The best practices document is not very specific about the information but offers the following example:

Providers will confirm the identity of new commercial VoIP customers by collecting information such as physical business location, contact person(s), state or country of incorporation, federal tax ID, and the nature of the customer’s business.

2. Telephone number validation

Telephone number validation is used to determine that an end user has a legitimate use of a telephone number used in caller ID.

In a direct relationship between the originating service provider and the end user, this is easily determined.

For an indirect relationships, the best practices document lists mechanisms that are currently under development for indirect attestation, such as Delegate Certificates, Letters of Authorization, and Central Database methods.

3. A-level attestation

Originating service providers should only authenticate calls with full attestation when they can confidently attest that the end user initiating the call is authorized to use the telephone number caller identity associated with the account of the end user.

Confidence for providing full attestation will come from completing the telephone number validation described above.

4. B- and C-level attestation

Originating service providers should only authenticate calls with partial or gateway attestation if telephone number validation has not been performed on the originating telephone number.

5. Third-party validation services

Originating service providers should use a third-party validation service when they cannot or choose not to perform telephone number validation. This approach may be particularly useful when vetting enterprises that acquire telephone numbers from multiple service providers.

6. International call originators using NANP numbers

Service providers that sell services to international call originators using NANP numbers should develop processes to validate that the calling party is authorized to use the telephone number or caller identity.

Domestic gateway providers may wish to include commercial terms and conditions with international providers that provide the tools and information to trust the validity of the calling identity.

7. Ongoing robocall mitigation

Service providers should have ongoing robocall mitigation programs in addition to call authentication.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. Contact us today to learn more about these solutions.