Webinar recording — Robocall mitigation filing essentials

The recording from our recent webinar, Robocall Mitigation Certification Filing Essentials, is now available.

The FCC has just published instructions for voice service providers to file their robocall mitigation certification. The clock is ticking. All voice service providers must file their certification by June 30, 2021, regardless of whether they will be using STIR/SHAKEN, robocall mitigation, or both.

If you do not have a certification on file, then other service providers will be required to block your calls.

Here are the slides used in the webinar presentation.

We’ve summarized and consolidated questions we received during the webinar and provided answers here. Contact us if you have further questions.

  • Questions and answers
    If you have a network that’s partially TDM and partially SIP, do you have to do robocall mitigation on the TDM parts if you’re doing SHAKEN on the SIP parts?
    Yes. There is a method that allows SHAKEN information to be sent separately, out of band, which enables STIR/SHAKEN for calls with a TDM segment in the call path, so this extension may change.
    Do Wholesale/Carrier contracts (switched access and BDS) need to have robocalling language added to them?
    We can’t give legal advice, but intermediate and terminating carriers should check that their upstream trunk carriers have robocall mitigation certifications on file, else you must stop accepting calls with U.S. calling numbers from them on September 28, 2021.
    So, we do not have to worry about inbound calls as the responsibility is on the call originator?
    The TRACED Act and subsequent FCC orders focus on the origination of illegal robocalls. These regulations require either SHAKEN or robocall mitigation on calls with U.S. NANP calling numbers that you originate.

    There’s a separate FCC docket on robocall prevention, which allows providers to block inbound illegal robocalls using reasonable analytics.
    Are you going to go on details of what steps we need to get certified in the FCC database? Is there a link for instructions?
    This session is focused on understanding the requirements, developing a compliance plan strategy, and some of the logistics involved. The specific steps of filing out the online form are available on the FCC RMD website.
    Do originating local and EAS calls have to be part of the mitigation plan?
    Yes.
    To claim full STIR/SHAKEN compliance, do you need to attest diverted calls as well?
    Yes.
    Do I only need to check carriers that I have direct connections to?
    Yes.
    What’s the profile of the traffic that triggers the prohibition of doing business with a foreign carrier (meaning, what does the calling party number have to look like)?
    If the call has a U.S. NANP calling number, then these FCC regulations apply.
    We are a TransNexus robocall mitigation user, does TransNexus have a plan that our company can use?
    Yes, we have prepared a template you can use. We will send that to you.
    What is the trigger date for when we can block INCOMING robocalls via opt-out method? 6/30 or 9/30?
    This was authorized by the Declaratory Ruling adopted by the FCC, paragraphs 33–38, on June 6, 2019.
    We have 99% of our traffic is international, either foreign-to-foreign or from USA-to-foreign. Only 1% of our traffic is USA (originated and terminated in USA) and this traffic is wholesale. We are not the main originator. We receive this traffic from operators. Do we need to implement STIR/SHAKEN?
    If you originate calls that have U.S. NANP calling numbers, then you must either authenticate them with STIR/SHAKEN or use a robocall mitigation program (if you’re eligible for an extension). If you terminate calls with STIR/SHAKEN information, i.e., signed calls, then you must verify them, unless you’re eligible for an extension.
    Can you confirm—the robocall mitigation plan is with respect to traffic that ORIGINATES on your network, not just transiting it?
    Yes.
    Is there cover from regulatory view if you find an end-user creating mischief via robocalling to discontinue services (less (911) without notice?
    Yes, there is. We can’t give legal advice, but you may want to check that your terms of service includes this provision. Also, we’ve seen the FCC give robocall originators 48 hours to cease-and-desist, rather than cut them off immediately without notice. We suggest you check with legal counsel.
    What about valid looking numbers that are not actually “valid” or don’t belong to you?
    Checking for invalid numbers is a good robocall mitigation practice. Our software uses information from the LERG, DNO lists, and other sources to identify invalid numbers.
    Does the FCC order define if providers need to recertify annually or at a specific interval?
    If you’ve certified with complete SHAKEN, then you do not need to recertify. However, the FCC said it will review their requirements annually. If they change requirements, then they may ask providers to update their certification filing.

    If you certify with partial SHAKEN or no SHAKEN, then you must upload a document that describes your robocall mitigation program for calls that you originate but do not sign. This document must describe what you are actually doing when you file it. If your program changes, then you file an updated document within 10 days.
    How do you distinguish valid international calls from invalid NANP +1 calls?
    Our software translates telephone numbers into standard E.164 format, then uses information the LERG, DNO lists, and other sources to identify invalid numbers.
    Can we schedule automatic reports to send us a list of outbound calls with a bad reputation? For instance, look for any score over 10 so we can get a jump on the problem before the score gets too high?
    You can enable automatic alerts. That’s the fastest, best way to get a jump on the problem. You can also run reports on demand.
    How culpable is a carrier that is an aggregator of traffic with only other companies as end users?
    Intermediate carriers are required to pass along SHAKEN information unaltered, cooperate with traceback, and block calls from upstream providers that do not have a registration on file in the Robocall Mitigation Database (RMD).
    Our voice calls originate on our network, the calls are then handed off to a voice service provider who is signing the calls for us. Will that satisfy the requirement of the FCC?
    It depends upon whether you are originating the calls, or the next voice service provider is originating the calls. If you are the originator, then you must do robocall mitigation, even though your calls are signed at the next step. If you are essentially a reseller without a network, and the calls are originated on the next provider’s network, then they are the originator.
    How do you investigate and remediate if one of your customers’ numbers is being abused?
    TransNexus helps our customers by working with data analytics providers to cure the reputation of a legitimate number that has acquired a poor reputation because other robocalls have illegally spoofed the number.
    If you sell SIP trunks to a hosted PBX reseller, they are required to get their own cert right? if someone resells our hosted PBX as their own brand I assume they can use our cert?
    We cannot provide legal advice, but the Governance Authority has established an STI Participant Agreement, which says that “grants to Service Provider a personal, non-transferable non-exclusive right to use the Service solely for purposes contemplated in this agreement… No right is granted to Service Provider to… transfer, assign or sublicense its access to the Service.”
    So TODAY do we need to do the interconnect voip? Or can we just wait until after June 30?
    The eligibility rules changed May 10, 2021. The requirements are now: 1. You’ve filed 499-A, 2. You have an OCN, and 3. You have a certification on file in the FCC’s Robocall Mitigation Database.
    Further to your last point, do we need to have filed a 499A form in order to get into the Robocall Mitigation Database?
    No, but you need an FCC Registration Number (FRN). If you’ve filed a 499-A, then you should have an FRN. If not, you can create a new account in the Robocall Mitigation Database and receive an FRN.
    If your company has multiple OCN’s, does every OCN have to file?
    No.
    If an operator uses numbers leased from a S/S compliant provider, and this operator does not generate or verify any certificates (since they don’t own the numbers) - but this operator transits any certificates received to the destination (e.g. PSTN), does this operator need to register in the database?
    Every voice service provider that originates calls with U.S. NANP calling numbers must register in the database. If you do not register, then downstream providers must block your calls.
    Seems like Chicken / Egg scenario. How do you certify SHAKEN in the FCC Database if you can’t get a certificate until you prove SHAKEN capability? Are there test certificates available to prove your network is SHAKEN capable
    The new eligibility rules went into effect on May 10, 2021. Providers who meet the new requirements can get their certification on file, then apply for an SPC token.
    What can be used as a “Letter of Authorization” for use of a number? Is a simple claim of authorization good enough, or does there need to be specific evidence? If so, what evidence is suitable?
    The CATA Working Group issued a Best Practices document that describes customer and telephone number vetting. ATIS and the SIP Forum released a study on full attestation alternatives that describes methods for using Letters of Authorization.
    We are a mobile carrier, so would all of our calls go out as B attestation?
    If you have vetted the customer and the number they are using, then you can give full attestation A.
    Does the ClearIP solution have a component that ties into the RMP Database for call blocking?
    No. The RMD is not checked on a call-by-call basis during call setup. Instead, providers will periodically check the RMD to verify that the providers from which they receive calls with U.S. NANP calling numbers have a registration on file in the RMD.
    How should a call that is coming with an international ANI be treated? Do we need to sign these calls as well, since it won’t be a NANP number?
    The standards indicate that you can sign such a call with gateway attestation C. However, the regulations do not require it, because such calls do not have U.S. NANP calling numbers. Some large providers have urged the FCC to discourage gateway providers from signing such calls. The gateway attestation is not of much use, they say, and they do not want to build out a larger infrastructure to process the additional information.
    What kind of authentication is required by traced act? Let’s say we have a known entity behind an IP address is it considered to be valid?
    The TRACED Act does not require a specific authentication. It requires the FCC to issue orders that require voice service providers to use STIR/SHAKEN and follow the standards.
    Does the receiving network reject calls if attestation is C or will they let it go?
    We do not expect any providers would simply reject calls with attestation C, nor should they. We expect providers might incorporate attestation level into their call analytics/call validation treatment.
    What is the status of OOB SHAKEN? Are any of the major cell carriers verifying calls they receive with OOB SHAKEN?
    The standards work is nearing completion. We expect it to go to letter ballot soon, although these things sometimes take longer than expected. It’s a great solution for calls that cross a TDM/SIP interconnection, enabling them to be included in the SHAKEN ecosystem.
    Are you aware of any major carriers that are paying attention to the RCD?
    We are not aware of major carriers using Rich Call Data currently. TransNexus software provides the option to use a verified RCD nam claim as the caller display name. This can save money on CNAM dips, and it may be more accurate in some cases.
    So, I provide trunks to customers with PBXs and they originate traffic. Does the responsibility of compliance for those lines fall to me or is it incumbent on the customer to comply?
    It depends upon whether you are originating the calls, or the next voice service provider is originating the calls. If you are the originator, then you must do robocall mitigation, even though your calls are signed at the next step. If you are essentially a reseller without a network, and the calls are originated on the next provider’s network, then they are the originator.
    IF I buy DIDs from a provider and they sign my outbound calls, would that be enough to say that we have implemented SHAKEN?
    It depends upon whether you are originating the calls, or the DID provider is originating the calls. If you are the originator, then you must do robocall mitigation, even though your calls are signed at the next step. If you are essentially a reseller without a network, and the calls are originated by the DID provider, then they are the originator.
    Will out of band STIR/SHAKEN be counted as a complete STIR/SHAKEN implementation if you have both SIP and TDM?
    Not currently. The FCC has said it will revisit this when the standards have been approved.
    We operate TDM on >90% of our inbound calls, the rest SIP inbound. SIP on outbound. STIR/SHAKEN is being implemented on our voice switch for outbound SIP and the few inbound SIP. Do we need to do robocall mitigation if 100% of our outbounds are STIR/SHAKEN?
    No.
    Do you have some wording to use in applying for RMP if we are using TransNexus?
    Yes, we have prepared a template you can use. We will send that to you.
    Does it say the calls will be blocked or could be blocked?
    “We prohibit intermediate providers and terminating voice service providers from accepting voice traffic directly from any voice service provider that does not appear in the database, including a foreign voice service provider that uses NANP resources that pertain to the United States to send voice traffic to residential or business subscribers in the United States.”
    What are the costs?
    We will contact you to set up a call to review the solution and configure a cost estimate.
    What does the SHAKEN TDM solution look like?
    It’s STIR/SHAKEN, with one capability added: SHAKEN PASSporTs can be sent across the internet, out of band, so they are not lost in TDM segments of the call path. We have more information on our website.
    If all my connections to other providers are not SIP even though my calls from my network will be sent to be signed, does this force me to certify as partial SHAKEN and partial Robocall Mitigation?
    Currently, you must do robocall mitigation on calls that rely on non-IP networks. If you are using SHAKEN on other calls, then yes, you would certify as partial SHAKEN and partial robocall mitigation.
    We don’t own our numbers. We get our numbers from Bandwidth and VoIP Innovations. Can we still get a Certificate to sign calls? Would we be a Interconnected VoIP Service provider?
    Yes, as long as you meet the requirements, which change after June 30.
    Does your system (NextOSS) need to be in the SIP call path or can it provide the report by processing CDRs?
    NexOSS can do both.
    Does the FCC check that your plan is complete and working?
    From their orders, we infer that the FCC will study a filing more closely if the provider is originating unlawful robocalls.
    Is the ClearIP solution complete enough to meet the robocall mitigation program requirements?
    Yes, absolutely. ClearIP provides a strong set of robocall mitigation capabilities.
    If I have a customer with high reputation score, how do I determine if they are behaving badly or ar a victim? How is that defined?
    If they have abnormally high call volume, then they might be originating unlawful robocalls. If their call volume is modest but their reputation is poor, then other robocall perpetrators might be spoofing their number, in which case they are a victim too.
    Does this include Local traffic, or is that considered not part of the PSTN?
    Yes. The First Order specifically includes on-net calls.
    Who is responsible for monitoring the database to determine if a service provider has submitted their RM plan or is Stir/Shaken compliant?
    Intermediate and terminating providers are responsible for checking the database for upstream trunks from which they receive calls.
    If we have current [1]499, filed request for [2] OCN and getting ready to file request with [3] FCC for direct access to NANPA — can we go ahead with [4] registering with FCC database, or need to wait until 2-3 is completed?
    Those items are prerequisites for approval as a SHAKEN service provider. Every provider has to register with the FCC database, whether they are doing SHAKEN or not. The type of certification you file would depend on whether you’ve completed the items in your list.
    If a provider has an enterprise customer that has their own DIDs, can they get an A attestiation from the provider if they supply a LOA listing their DID numbers?
    Yes. However, the originating service provider would probably want to confirm the LOA with the telephone number provider that issued the DIDs.
    Do most customers apply per number policy in your product or do general policies cover the signing role? Concerned for placing per customer number rules in your product, all the upkeep and maint.
    It depends on their situation. Wireless customers generally know their customers cannot spoof their calling number, so they can create a blanket policy for full attestation. Some network equipment provides similar assurance. But if spoofing is possible, then the provider may want to create either group or individual authentication policies. Our software has APIs that enable this to be done by an integration with a softswitch, which removes the maintenance and upkeep concern.
    Is restricting number spoofing on single line residential subscribers enough when combined with STIR/SHAKEN? Do we need to be concerned with robocalling if concurrent outbound call is limited to one call and they can’t spoof source DID?
    Yes, that’s sufficient.
    what if a foreign user makes a roaming call in our network for a U.S. terminating call? Which attestation can be applied as that could be a C?? or B??
    That would be a gateway C attestation. Attestation is based upon vetting of customer and telephone number, and that isn’t possible in this scenario.
    How does the traceback request process work, what data is expected to be provided on a request, which actions must be taken? What documentation is there?
    We described the traceback process in this blog post.
    Was TransNexus offering a registrations template for robocall mitigation filing?
    Yes, we have prepared templates for customers that use our software. The templates describe the robocall mitigation capabilities, which provides the details the FCC is looking for.
    I understand there was some ambiguity concerning intermediate carrier requirement to verify downstream carriers so upstream may not be protected. Has FCC cleared this up?
    We are not aware of this issue. The robocall mitigation certification requirement pertains to calls received from upstream providers.
    If you are the terminating carrier, must you block calls from providers that are not in the database, i.e. what does intermediate carrier actually mean?
    It means the upstream providers from which you receive calls must have certifications filed in the database.
    Would a good Acceptable Use Policy need to be updated to cover the policies included in Robocall Mitigation and SHAKEN?
    Yes, we expect providers will want to review their terms and conditions to make sure these policies are covered.
    Is manual action on the information in the example report with scheduled email sufficient "robocall mitigation"?
    The FCC said the acid test for sufficient robocall mitigation is whether you originate unlawful robocalls. They went out of their way to avoid prescribing specific methods. Instead, they focus on results.
    If I am a provider with < 100,000 lines, I have some SIP orig/term trunks, but mostly all TDM. Do have the option not sign to start and ease into signing?
    Yes. You’re eligible for the small provider extension for two years and the non-IP extension until a non-IP authentication method is approved. You would do robocall mitigation. You can also ease into signing with out of band SHAKEN, which would provide customers STIR/SHAKEN benefits. Our robocall mitigation solutions also provide the platform for STIR/SHAKEN as you ease into it.
    Who hold the database of attestation values and how is it assessed? Also, say I have 10,000 customers that use 13,000 numbers. Do I have to attest to the level of each customer and number?
    There are only three attestation values. They are described in ATIS-1000074. Depending on your call scenarios and network equipment, you may be able to create a few group authentication policies, or you might need many individual policies. In that case, you would want to use the API to create these policies from your softswitch.
    What’s the precise definition of a calling party US number?
    It’s a telephone number that’s included in the U.S. NANPA (North America Numbering Plan).
    Who will be monitoring the Data base to stop inbound calls, not in date base?
    Intermediate and terminating providers must periodically check that the upstream providers from whom they receive calls have certifications on file in the database.
    Do I have to enable outbound mitigation on EAS and local calling?
    Yes.
    For Call Centers located out of the country, do they need to register with any U.S. entity if they use US DIDs?
    Yes. They should create a certification registration in the RMD. The form includes a checkbox for foreign service providers.
    Is there a particular SBC that you recommend for Caller ID Authentication implementation?
    Our software works with any leading SBC. We have a list of interop technology partners on our website.
    If a company is not yet SIP, how will it identify calls to block on the terminating end on common trunks? Or is it always up to the intermediate provider to block?
    Intermediate and terminating providers must periodically check the RMD to verify that their upstream providers have a certification on file in the RMD. This is not done during call processing, it’s a periodic administrative check. It doesn’t require SIP.
    Basically do we need to vet the internal connections and have a certificate for an internal calls or the internal authentication is up to us?
    In the case of using DISA to place a call, would the attestation be B where you validate the customer but not the number?
    Yes, this would likely be a partial attestation B situation. However, it depends on whether the originator signing the call can say that they know the caller and know that the caller is authorized to use that number. Appendix A of the CATA Working Group Best Practices document has a good discussion of this.
    For context to my last question: foreign service providers don’t necessarily 499A forms.
    Yes, that is correct. A 499-A is not required to register in the RMD. Foreign service providers can register in the RMD, and they should, if they originate calls with U.S. NANP calling numbers.
    How about a call forwarded call? Where we pass along the calling number to the forwarded number?
    There is an approved standard for diverted calls, including call forwarded calls. It is not widely implemented yet.
    What are the costs for ClearIP product?
    We will contact you to set up a call to review the solution and configure a cost estimate.
    What if I have a reseller who uses our platform and does have a 499a. Do I need to upload their cert into our platform?
    We cannot provide legal advice, but the Governance Authority has established an STI Participant Agreement, which says that “grants to Service Provider a personal, non-transferable non-exclusive right to use the Service solely for purposes contemplated in this agreement… No right is granted to Service Provider to… transfer, assign or sublicense its access to the Service.”
    Can I upload a reseller cert and sign their calls?
    We cannot provide legal advice, but the Governance Authority has established an STI Participant Agreement, which says that “grants to Service Provider a personal, non-transferable non-exclusive right to use the Service solely for purposes contemplated in this agreement… No right is granted to Service Provider to… transfer, assign or sublicense its access to the Service.”
Filing deadline is June 30, 2021

Topics covered

In this webinar, we review the instructions and show you how you can fulfill this requirement easily and on time.

  • Overview of FCC regulations
  • Public Notice — April 20, 2021
  • Implementing a Robocall Mitigation Program
  • Implementing SHAKEN
  • How to meet the FCC deadline, June 30, 2021
  • Questions and answers

Presenters

Jim Dalton, CEO, TransNexus
Jim Dalton
CEO
TransNexus
Alec Fenichel, Senior Software Architect, TransNexus
Alec Fenichel
Senior Software Architect
TransNexus

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their Robocall Mitigation certification with the FCC.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.