FCC issues further rules on SHAKEN and robocall blocking
The FCC today published the next round of rules for robocalls and STIR/SHAKEN deployment. There’s quite a lot in this 93-page document. We’ve summarized it for you here.
Steps taken so far
The TRACED Act was signed into law on December 30, 2019. This law directed the FCC to issue orders to require industry to deploy STIR/SHAKEN.
The TRACED Act included related provisions to support the call authentication rollout and give the Commission some leeway to develop specific details in support of this rollout.
The FCC issued their First Report and Order and Further Notice of Proposed Rulemaking to implement the TRACED Act on March 31, 2020.
In the first order, the Commission issued a mandate for all originating and terminating voice service providers to implement STIR/SHAKEN in the IP portions of their networks by June 30, 2021. The order explains that they were issuing the mandate at that time because the state of industry-wide implementation as of the end of 2019 demonstrated that further government action was necessary for timely, ubiquitous implementation.
The mandate covered three call scenarios:
- Calls that exclusively transit a voice service provider’s own network;
- Calls that a voice service provider originates and will transmit to the next provider in the call path, if technically feasible (i.e., are being placed on an IP network);
- Calls that a voice service provider terminates and that have authenticated caller ID information.
Note that the mandate did not apply to the following:
- International calls brought into the U.S. network by gateway providers
- Unsigned calls transmitted by intermediate carriers
- Calls that are placed on or received from non-IP networks, i.e., TDM/SS7.
New items in the Second Report and Order
The second report and order includes provisions described in the following sections.
Definition of voice service provider
The order extends the definition of a voice service provider to include over-the-top (OTT) services that possess technical control over the origination of calls on their platform.
We’re not sure how this will square with the STI-GA’s current requirement that service providers must have access to numbering resources to qualify as an authorized service provider. Many OTT providers do not satisfy the current requirements.
Note that this second order includes related discussion of this topic in the discussion of deadline extensions described below.
In the order, the Commission explained that they would require two things before mandating out-of-band SHAKEN:
- Fully developed and finalized standards.
- Equipment and software necessary to implement it available on the commercial market.
The Out-of-Band standards, which describe the option to transmit tokens out-of-band, are well on their way. The existing STIR/SHAKEN standards are still applicable when using the out-of-band option.
TransNexus has included the Out-of-Band SHAKEN option in our SHAKEN solutions for well over a year now. We understand that other SHAKEN solutions developers are working on it. To assist with this effort, we developed an open source Call Placement Service (CPS) and have offered it free of charge to any software developer or service provider who wishes to use it. We also offer a hosted version free of charge.
Extension of deadline for SHAKEN mandate
The order granted extensions of the STIR/SHAKEN mandate for the following:
- A two-year extension for small, including small rural, voice service providers with fewer than 100,000 voice subscriber lines;
- Voice service providers that cannot obtain a certificate due to the Governance Authority’s token access policy until such provider is able to obtain a certificate;
- A one-year extension to services scheduled for section 214 discontinuance;
- Parts of a voice service provider’s network that rely on technology that cannot initiate, maintain, and terminate SIP calls until a solution for such calls is reasonably available.
The first extension is to avoid hardship and undue burden for this class of providers.
The second extension is necessary because the current STI-GA policy has three requirements that service providers must satisfy in order to receive a Service Provider Code, which is necessary to obtain SHAKEN certificates:
- Must have filed a Form 499A
- Must have an OCN (Operating Company Number)
- Must have direct access to telephone numbers.
That third requirement excludes many interconnected VoIP carriers, including over-the-top (OTT) carriers, who are now included in the mandate. But how could OTT carriers be subject to the mandate if they can’t get SHAKEN certificates? The Commission granted this extension until either such providers can meet the STI-GA’s policies or the STI-GA changes this policy. Stay tuned.
The third extension gives providers time to shut down service that was already planned to be discontinued.
The fourth extension is required by the TRACED Act.
The FCC is required to reevaluate extensions it has granted annually.
TransNexus STIR/SHAKEN software solutions are the most affordable commercial software products available. They’re easy to deploy with TDM and/or SIP networks.Learn more
All voice service providers who receive an extension to the mandate are required to deploy a robocall mitigation program. This requirement is satisfied by documenting and publicly certify how they are complying with these requirements.
The Commission provides only one prescriptive component of the robocall mitigation program: cooperation with the Commission, law enforcement, and the Industry Traceback Group in investigating and stopping illegal robocallers.
All voice service providers must certify that their traffic is either signed with STIR/SHAKEN or subject to a robocall mitigation program as described above.
The Commission will establish a portal on the fcc.gov website to accept these certification filings. These filings will be stored in a database and be made publicly available.
Intermediate and terminating voice service providers will be prohibited from accepting voice traffic from any voice service provider that does not appear in this database.
Foreign voice service providers
Foreign voice service providers that use NANP numbers that pertain to the U.S. to send calls to the U.S. must participate in the compliance filing described above.
Line item charges
Voice service providers are prohibited from imposing additional line item charges for caller ID authentication on consumer or small business subscribers. Consumers are residential mass market subscribers. Small business subscribers are those that meet the Small Business Administration definition of small business.
The Commission declined to prohibit voice service providers from recovering the costs of call authentication through alternate means. They explained that such prohibition would go beyond the requirements of the TRACED Act. Furthermore, they pointed out that some providers may not have the resources to absorb the cost of implementing caller ID authentication.
Intermediate providers are required to pass unaltered any Identity header that they receive. However, the Commission granted two exceptions:
- An intermediate provider may strip Identity headers for technical reasons where necessary to complete the call. For example, the Identity header may be too large to successfully transit the network.
- An intermediate provider may strip Identity headers for security reasons where the Identity header presents a threat to its network security. Examples include Server-Side Request Forgery (SSRF) and Telephony Denial of Service (TDoS) attacks.
Intermediate providers are required to authenticate caller ID information of a call that it receives with unauthenticated caller ID information that it will exchange with another service provider as a SIP call. However, an intermediate provider is relieved of this obligation if it has registered with the industry traceback consortium and responds to traceback requests it receives from the Commission, law enforcement, and the industry traceback consortium.
The Commission did not create special rules for gateway providers. They will be required either to authenticate foreign-originated calls that they put on the network or participate in traceback.
This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
TransNexus has a comprehensive suite of robocall prevention solutions.Learn more