More rules proposed for STIR/SHAKEN, robocall mitigation

While adopting new STIR/SHAKEN and robocall mitigation rules for gateway providers on May 19, the FCC also proposed another round of new rules—twenty-six pages’ worth. Here’s a quick overview.

Proposed rules

The proposed rules are in section six of the document, Further Notice of Proposed Rulemaking (FNPRM). There are many subtle points and options mentioned in this discussion. We’ll give you a broad outline here:

  1. Extend SHAKEN requirement (sign unsigned calls) to domestic intermediate providers.
    1. Should the Commission require all providers to adopt a non-IP caller ID authentication solution?
  2. Extend some robocall mitigation requirements to all domestic providers:
    1. Enhanced affirmative obligations. This section includes several tactics to tighten robocall mitigation.
    2. Mandatory blocking of providers that fail to comply with FCC cease-and-desist letters
    3. General mitigation standard—providers must mitigate illegal robocalls regardless of whether they’ve implemented SHAKEN
    4. File a robocall mitigation plan in the Robocall Mitigation Database (RMD)
  3. The FNPRM includes several proposals to strengthen enforcement using forfeitures and removing a provider from the RMD.
  4. Should there be an explicit exemption for providers unable to implement STIR/SHAKEN?
  5. Does the TRACED Act apply to satellite providers?
  6. Should there be more limitations on use of U.S. NANP numbers for foreign-originated calls?
  7. Should the Commission allow a third-party authentication to satisfy an originating provider’s obligation?
  8. Should there be differential treatment of conversational vs. dialer traffic?

There’s a lot here. Some of this may seem familiar. Weren’t we doing this already? Yes, but not everywhere. The new rules would enforce these requirements all along the call path regardless of provider type.

Our thoughts

First, we’re delighted to see the range of proposed improvements. While the basic framework for robocall mitigation has been put in place, it isn’t working yet. There are too many holes. The FNPRM proposals look like a good start to close those gaps.

We won’t go into a detail discussion of all these proposals. Instead, we’ll focus on a few that we believe would have the most impact: SHAKEN for TDM and third-party SHAKEN.

SHAKEN for TDM

About 24% of calls received by our service provider customers are signed. Less than one out of four. That isn’t nearly enough participation to be effective.

The current rules allow an exemption from the SHAKEN rules for providers that rely on non-IP network technology. This exemption is supposed to remain until (a) a standardized non-IP call authentication method is developed, and (b) is commercially available.

Both conditions were met last year. There are two standardized methods for call authentication across non-IP network segments. They were approved in July 2021. They are commercially available. Time to start phasing out the non-IP exemption.

We have one minor quibble with this discussion in the FNPRM: The Commission asks whether they should require “all providers to adopt a non-IP caller ID authentication solution.” This proposed rule is too broad. It does not align with how the SHAKEN for TDM standards were designed.

The SHAKEN for TDM standards only require adoption by providers that rely on non-IP network technology. A provider that only uses SIP would not have to do anything. The Non-IP Call Authentication Task Force went to great effort to develop the standards this way. It’s only fair. If you’re using non-IP technology, then you should adopt a non-IP authentication method. If you are not using non-IP technology, then you don’t have to do anything.

Third party SHAKEN

Many providers claim in their RMD filing that they are doing complete SHAKEN when, in fact, they haven’t done anything. Instead, they’ve arranged with a downstream intermediate provider to sign their calls using the downstream provider’s SHAKEN certificate.

Think about it. The originating service provider has completely evaded the TRACED Act and FCC rules. They aren’t doing SHAKEN. They aren’t doing robocall mitigation either.

The downstream provider doesn’t sign these calls with full attestation. They haven’t verified the customer’s association with the calling number. So, they sign these calls with either B or C attestation.

We’ve noticed that calls signed with either B or C attestation are three times more likely to be robocalls than unsigned calls. That’s how a robocall-friendly provider beats the rules.

STIR/SHAKEN is designed with a governance structure to ensure accountability. A provider must be approved to participate. They use this approval to get a SHAKEN certificate, which they use to sign calls. They are held accountable for call authentication. This makes it easier to hold them accountable for illegal robocalls they sign too.

The downstream provider signing arrangement doesn’t follow the SHAKEN standards. It thwarts accountability, which makes it easy to relay illegal robocalls.

The solution is simple, and obvious: A provider must be approved to do SHAKEN to claim a SHAKEN implementation. This brings the provider into the SHAKEN governance system, where they can be held accountable.

new rules

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.