Branded calling, Know-Your-Customer, and STIR/SHAKEN

We’ve been discussing the STI Governance Authority’s recent guidance on STIR/SHAKEN attestation and its implications for Know-Your-Customer (KYC) vetting and branded calling. In this article, we connect these dots.

You may recall that we recently reviewed a new guidance document from the STI-GA, Definition of Improper Attestation. Our blog post emphasized the importance of signing providers following the attestation criteria provided in the STIR/SHAKEN standards document ATIS-1000074

Know Your Customer

Here’s an important note in the STI-GA guidance about KYC and attestation:

A call given C-Level Attestation where the OSP is under an FCC know your customer requirement, is a call for which the level of Attestation is inconsistent with the information the OSP has, or is required to have, about the call.

This guidance makes sense. If the Originating Service Provider (OSP) is required to know their customer, then how could they sign a call with C-level attestation? In most calling scenarios, the OSP would be expected to sign calls it originates for its customers with either A- or B-level attestation.

The FCC has launched a discussion on Increasing Trust in Caller ID By Providing Accurate Caller Name to Call Recipients in their Eighth Further Notice of Proposed Rulemaking on robocall mitigation (CG Docket No. 17-59), paragraphs 95–100.

In this FNPRM, the Commission noted that:

• Full A-level attestation alone may not give subscribers confidence to answer calls. They need to see a caller’s name too.
• The combination of full attestation, meaning the number was not spoofed, along with an accurate caller name would be a real benefit to consumers.

Branded calling

There’s been a lot of buzz in the telecom industry and among enterprise callers about branded calling. It provides ways to present the brand identity, i.e., the calling name, reliably and consistently, even to subscribers using phone service that doesn’t provide CNAM services.

This raises a question: Should a voice service provider or third-party service enable callers to present any name they want? Or should the provider or service do some KYC vetting?

Rich Call Data

One mechanism developed to present branded calling is using Rich Call Data (RCD), which is part of the STIR/SHAKEN framework. It’s described in ATIS-1000094, which states that:

The OSP shall perform RCD authentication only if the criteria for “A” attestation are met; e.g., as specified in ATIS-1000074 or based on receiving a valid base PASSporT from the originating customer as described in Clause 6.1 of ATIS-1000092. The RCD authentication service shall populate the by-value and by-reference contents of the “rcd” claim based on vetted information.

This makes sense. The authentication signer should not present caller identity information, including branded calling, that has not been vetted.

Our thoughts

• Branded calling can bring significant benefits to subscribers and enterprise callers.
• To provide these benefits, branded calling information must be accurate and trustworthy.
• The STI-GA, STIR/SHAKEN standards, and FCC regulations are talking about KYC requirements as an essential part of call authentication.
• Branded calling information should be based on vetted information gathered in a reasonable KYC process.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.