Prepare for the FCC robocall deadline

The recording from our recent webinar, How to Prepare and Register with the FCC’s SHAKEN/Robocall Mitigation Database, is now available.

The FCC’s Second Order for the TRACED Act mandates that calls from any voice service provider not registered with the new FCC SHAKEN/Robocall Mitigation Database by June 30, 2021 must be blocked. This presentation and discussion covers everything you need to know to comply with the TRACED Act and FCC orders.

Here are the slides used in the webinar presentation.

We’ve summarized and consolidated questions we received during the webinar and provided answers here. Contact us if you have further questions.

  • Questions and answers
    Is any recording of this seminar available?
    Yes, in this blog post (see above).
    Are the slides available?
    Yes, in this blog post (see above).
    Does the June 30th deadline also apply to carriers with fewer than 100,000 voice users?
    The FCC orders give voice service providers with fewer than 100,000 subscriber lines a deadline extension of two years, i.e., up until June 30, 2023. Such providers could go ahead and implement STIR/SHAKEN anyway should they wish to provide the benefits of call authentication to their customers as a customer acquisition and retention strategy.
    How many bytes does a signature/certification add to the typical SIP call after running through ClearIP? As a follow-up, are you recommending a TCP connection for outbound/inbound calls because of this additional information being added to the packets?
    The size of the Identity header carrying the SHAKEN PASSporT(s) varies by call scenarios, whether Rich Call Data has been added, and so forth. As a ballpark estimate, a basic Identity token might run abount 450 bytes. If there were multiple PASSporTs and Rich Call Data, then the size would increase.
    Does this apply to carriers only or do I need to be concerned as an enterprise administrator?
    The TRACED Act and FCC orders apply to voice service providers, not to enterprises. However, enterprise administrators have a strong vested interest in ensuring that their voice service providers use STIR/SHAKEN on their calls to improve outbound call completion, brand their outbound calls with Rich Call Data, and verify inbound signed calls.
    Is the attestation value transmitted for calls incoming into our network?
    It depends. The terminating service provider might just relay the verification status (verstat), or they might update the caller display name, or they might provide the attestation. The standards do not require the TSP to provide the attestation. TransNexus STIR/SHAKEN software makes the attestation level available as a configurable option.
    CSV upload for attestation?
    We think this question is asking whether authentication policies can be created by uploading a CSV (comma-separated value) file. It is possible to upload such records saved in an Excel file. It’s also possible to use the API to add records programmatically. However, we should first discuss your company’s attestation approach. You might be able to configure some or all of your authentication policies by groups.
    SIP Token RFC?
    There are several IETF RFCs that describe SIP token standards. See the TransNexus STIR/SHAKEN Info Hub standards list for links to the relevant RFCs.
    Do I go to iconective first before STI certification?
    Yes, you should register with the STI-PA to obtain a Service Provider Code (SPC) token. The STI-CA will require your SPC token before they can issue SHAKEN certificates. We have a blog post that describes the process. TransNexus is an authorized STI-CA. Once you’re registered with the STI-PA and have your SPC token, you can register with the TransNexus CA quickly and easily.
    Do you have a URL with a link to the existing database/Excel spreadsheet?
    The FCC Intermediate Provider Registry is available here.
    When will DIV PASSporTs be transmitted and verified within the PSTN?
    The standard for the DIVersion PASSporT extension was approved in September 2020 but is not yet in use.
    Is there a way to create a “whitelist” of high-volume callers?
    This depends upon the call analytics you’re using. We believe that it’s a mistake to whitelist a caller. Instead, we designed our call analytics to be self-learning. It identifies typical calling patterns and dynamically adjusts thresholds in real time to identify unusual calling patterns. When unusual patterns are spotted, the call analytics can either send an alert, or divert the calls, or even block them depending on the configuration options you choose.
    Is there a cross reference to match a carrier's certification number back to that carrier?
    Yes, the LERG (Local Exchange Routing Guide) provides that information.
    Is Attestation Level C able to be blocked? If not, is it likely to be flagged as Scam Likely?
    Neither the STIR/SHAKEN standards, nor the TRACED Act, nor the FCC orders prescribe such specific blocking. It would be possible to configure call analytics to perform such blocking, but we would not recommend it. The more typical, expected approach is that the SHAKEN verification status, and possibly the attestation level, would be used as inputs to call analytics algorithms, where it would be used along with other call attributes to determine whether calls should be labeled, diverted or blocked.
    Where is the reputation score coming from? Do you indicate which database has the reputation flagged as a scam likely?
    We have a web page that describes reputation scoring in more detail.
    Does it apply to U.S. toll free numbers?
    Yes, the rules apply to toll free numbers. STIR/SHAKEN for toll free numbers would require use of the DIV PASSporT, which is approved but not yet widely used.
    How does this work for in-roaming subscribers making calls to numbers on the visiting PLMN?
    The originating provider would not be able to authenticate the call using STIR/SHAKEN. They will be required to file a certification in the Robocall Mitigation Database, else U.S. providers cannot accept their calls with a U.S. NANP calling number and no registration on file.
    Suppose there is a call looping due to some configuration issues, there would few hundred calls within few minutes. Does this make a robocall?
    It depends upon the call analytics software you are using and how it’s configured. Such call traffic could certainly be identified as suspected robocalls.
    If you obtain DIDs from another service provider, do you still attest using your own certificate or is there some kind of proxy certificate from the original provider?
    This is a broad topic that is difficult to summarize in a short answer. There is such a certificate as you’ve described, called a delegate certificate, that could be used in customer-of-customer scenarios to sign calls with a higher level of attestation. ATIS-1000089, their Study of Full Attestation Alternatives, describes three alterative methods: delegate certificates, extended validation certificates, and TN letters of authorization, that could be used to achieve full attestation in customer-of-customer scenarios.
    We are using ClearIP. Can you provide help integrating the SHAKEN response (PAI, etc) with our Acme Packet SBCs?
    Yes, absolutely. We will follow up with you. Others with a similar question can contact us to arrange a call.
    What is the process to remove the number from the databases?
    TransNexus can help our customers by working with call analytics databases to correct the reputation of numbers misidentified as a spam caller.
    Why are the carriers that we have our numbers through not able to manage the registration process? We are not a carrier, so why are we responsible to register the numbers?
    If you are not a voice service provider, then you do not have to register. The carriers that provide your voice services are required to comply.
    As a carrier without access to the number pool, we need to register with the FCC Mitigation DB. How is this accomplished, there does not seem to be any group in charge of it?
    The FCC has directed its Wireline Competition Bureau to create the Robocall Mitigation Database and portal and to issue guidance for registration. TransNexus stands ready to help any TransNexus customer determine their robocall mitigation program, deploy it, and prepare their certification filing.
    How do I check the DB status of a carrier before I terminate a call?
    Fortunately, terminating service providers will not check filing status in real time while terminating each call. Instead, you should prepare a list of upstream providers that send you calls. You should then periodically check the Robocall Mitigation Database to confirm that they have a valid registration on file.
    The STI-PA doesn’t allow you to register yet without access to number pool. And there is no way to register with the DB.
    This is correct. We anticipate that the FCC Wireline Competition Bureau will make the Robocall Mitigation Database and portal available soon, perhaps sometime in April 2021.
    I have 100,000 numbers. How can I put a policy in for each of them?
    This is response to the webinar demonstration example where we showed how you can establish an authentication policy for one specific number. However, you do not have to create a separate policy for each number. The system is very flexible. It allows you to create policies for individual numbers, groups of numbers, or even one default policy for all numbers. You would configure your authentication policies according to your circumstances.
    Is TransNexus planning to register as a STI-CA in Canada?
    At this time, the Canadian Secure Token Governance Authority has identified a single STI-CA. If they decide they want to have more STI-CAs, then we will assess the opportunity at that time. Meanwhile, our STIR/SHAKEN software is a great solution for Canadian service providers.
    Any updates on enterprise certificate delegation?
    The ATIS standard for delegate certificates was approved on June 30, 2020. The STI-PA is expected to change their Certificate Policy to allow STI-CAs to issue delegate certificates. We do not have a date for that at this time.
    We have a 499# and a OCN #, and purchase #’s from two or three suppliers. How would we use your service for SHAKEN, mitigation?
    First, figure out what your robocall mitigation filing will be. If you become a TransNexus customer, we can help you prepare that quickly. As soon as the FCC makes the Robocall Mitigation Database and portal available, we would file your certification (or give it to you if you prefer to file it yourself). Once your certification filing is accepted and on file, then you will qualify to be an authorized service provider for SHAKEN under the new rules. Register with the STI-PA. We can help you with that too. TransNexus is a pre-approved SHAKEN vendor, so you’d sail through registration.
    Does SIP school have a specific training source just for SHAKEN?
    They cover STIR/SHAKEN as part of their SSCA SIP training program.
    Can you please clarify of the legislation/regulations on Robocalling? Is it 100% banned under all circumstances? (business/residential, fixed line / cellular)
    The rules apply to illegal robocalls. The FCC states that “Not all robocalls are illegal. There are several factors to consider: the technology used to make the call, whether the call is to a landline or a mobile number, whether the content of the call is telemarketing, and whether the called number is on the National Do Not Call Registry.”
    Can a non-US carrier get a FCC 449 and OCN?
    No.
    How to service providers outside the USA correctly integrate with this? Can a non-US carrier be part of this trust framework?
    A foreign service provider will be able to file a certification with the Robocall Mitigation Database. This would allow service providers in the U.S. to accept calls originated with a U.S. NANP calling number.
    Are NANP U.S. territories included in STIR/SHAKEN? Does the attestation persist in each direction?
    Yes, and yes.
    Where can we go to register with the FCC Robocall Mitigation Database?
    The Robocall Mitigation Database and portal are not available yet. We anticipate that the FCC Wireline Competition Bureau will make them available soon, perhaps sometime in April 2021.
    For the May 1st SHAKEN implementation with TransNexus, do I already need to have my OCN in place?
    You should begin the registration process now.
    So those SIP messages you have displayed is what the real time algorithm looks like? or is there other metrics?
    The SIP messages we used in the demo showed the information that’s used in STIR/SHAKEN and robocall mitigation. You can learn more about STIR/SHAKEN and robocall mitigation on our website.
    Is there a FCC website with a list of service providers who have completed the FCC requirements?
    There is a list of service providers on the iconectiv website that have been authorized for STIR/SHAKEN by the STI-PA. The Robocall Mitigation Database is not yet available.
    If the provider who terminates the call to our network is compliant, do we need to comply?
    If you are a voice service provider, then you need to comply.
    The statement on the screen is that “your calls will be blocked.” Can someone please provide a FCC DA- citation that provides this mandate?
    See the Second Report and Order, paragraph 86 on page 46.
    Can you tell me how Robocall mitigation works?
    Yes, we describe robocall mitigation methods on our website.
    I have heard some carriers will only have the authentication service (signing) piece of STIR/SHAKEN to meet the mandate. How come the FCC did not require the verification piece by June 30th as well?
    The FCC does require STIR/SHAKEN verification as well. It’s in the First Report and Order, paragraph 24: “In this Report and Order, we require all originating and terminating voice service providers to implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021.” (emphasis added)
    Can you discuss the reputation score a little more? Is this mandated for robocalling mitigation or something else?
    The FCC did not mandate specific methods for robocall mitigation. Instead, they require “practices that can reasonably be expected to significantly reduce the origination of illegal robocalls.” Reputation scoring is one such method, and a good one. We describe it further on our website.
    What if you wholesale voice services from a larger carrier? Our upstream providers are saying that they will provide the shaken services for us automatically. Does that seem accurate?
    Yes, that seems accurate. The FCC orders describe STIR/SHAKEN as taking place at origination and termination. Intermediate providers are required to authenticate unsigned calls, but this requirement is waived if they participate fully in traceback requests, which everyone expects they will do. Intermediate providers have to have a registration in the Robocall Mitigation Database, but the FCC says they will automatically roll over intermediate provider registrations from the Rural Call Completion list to the new database.
    How does this affect calls originating from outside of the US into the US?
    If such calls use foreign calling numbers, then there’s no compliance requirement. However, if foreign-originated calls have calling numbers from the U.S. NANP, then the provider must have filed a certification in the Robocall Mitigation Database. If they do not, then U.S. providers cannot accept such calls.
    Do you have Professional Services available to assist in getting us through the entire process?
    Yes, absolutely. We will contact you. If others have the same question, please contact us.
    If you currently do not have an OCN will we be able to apply and still meet the deadline?
    It will be close. We expect there will be a surge in applications, so the process might take longer. We suggest you move quickly.
    If we have fewer than 100k lines, why would we choose robocall mitigation over SHAKEN?
    It depends on your situation. If you have customers in a competitive market that are eager to have their outbound calls signed and inbound calls verified, then you might want to do STIR/SHAKEN sooner to improve customer acquisition and retention. If not, you might prefer to use robocall mitigation practices that make sense for your situation. We can help you identify the best practices. And when the time comes for you to start STIR/SHAKEN, you will already be using a software platform that supports STIR/SHAKEN. It will be easy to configure and go.
    There was mention of support for BroadWorks for things like attestation integration, etc. What about Metaswitch? What level of inter-op / functionality is available w/ Metaswitch CFS & Perimeta SBC?
    TransNexus software works very well with Metaswitch CFS and Perimeta. We have many customers using our software with Metaswitch products. We will contact you to follow up. If others have the same question, please contact us to learn more.
Overhead picture of a man looking at a laptop holding a cup of coffee

Topics covered

This covers the following topics:

  1. Overview of the FCC regulations
  2. How to register with the SHAKEN Policy Administrator
  3. How to integrate SHAKEN into your network—design options
  4. How to set attestation values
  5. SHAKEN for TDM
  6. FCC Robocall Mitigation requirements
  7. Traffic from International carriers
  8. How to certify with the FCC by June 30, 2021
  9. Next Steps:
    • Evaluation trial
    • Implementation
    • Creating and submitting a Robocall Mitigation Plan

Presenters

Jim Dalton, CEO, TransNexus
Jim Dalton
CEO
TransNexus
Alec Fenichel, Senior Software Architect, TransNexus
Alec Fenichel
Senior Software Architect
TransNexus

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their Robocall Mitigation certification with the FCC.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.