Lingo FCC compliance plan and lessons for other providers

The FCC announced that it entered into a consent decree with Lingo Telecom to settle its investigation of improper STIR/SHAKEN attestation. The agreement includes a compliance plan to ensure future compliance with communication laws. The details of this plan should be of interest to other voice service providers when thinking about their compliance efforts. Let’s have a look.

Background

On January 21, 2024, two days before the New Hampshire primary, potential voters in New Hampshire received robocalls with a generative AI deepfake voice recording that impersonated President Biden. The recording told the called parties to “save your vote for the November election[…] Your vote makes a difference in November, not this Tuesday.”

Here’s a list of the people and entities alleged to be involved in producing and carrying these robocalls, according to the FCC’s Notice of Apparent Liability:

  • Steve Kramer, a political consultant who was responsible for the calls
  • Voice Broadcasting Corp. transmitted the calls on behalf of Kramer
  • Life Corp. provided the services and equipment to transmit the calls
  • Lingo Telecom was the voice service provider that originated the calls on the service provider voice network. Lingo used STIR/SHAKEN to authenticate the calling information with an A-level attestation.

The robocalls illegally spoofed the calling number of a Democratic Party operative in New Hampshire. This person was not involved in the calls.

Lingo Telecom told the FCC that it verified the ownership of the calling number through a contractual relationship with Life Corp. Lingo Telecom said that it provides A-level attestation with non-Lingo provisioned numbers if the customer (Life Corp., in this case) certifies a verified association with the calling number.

The FCC determined that Lingo incorrectly applied A-level attestations to these calls. It cited the ATIS-1000074 standards document, which states that, for an A-level attestation, the authenticating provider:

  1. Is responsible for the origination of the call onto the IP-based service provider voice network
  2. Has a direct authenticated relationship with the customer and can identify the customer, and
  3. Has established a verified association with the telephone number used for the call.

The Commission found that a provider may not satisfy the obligation for a verified association between the customer and the calling number with a generic, blanket, check-the-box agreement that shifts the entire responsibility for compliance onto the customer. For this reason, the Commission found that Lingo’s application of A-level attestation was improper.

Order and Consent Decree

The Commission announced an order and consent decree with Lingo Telecom on August 21, 2024. The consent decree includes information about how Lingo will comply with its obligations.

Compliance plan

The consent agreement requires Lingo to develop a compliance plan, including:

  1. Operating procedures
  2. Compliance manual
  3. Training program

The operating procedures require that “Lingo Telecom may only apply an A-level attestation to a call if Lingo Telecom itself has provided the Caller Identity to the calling party associated with the Call.”

  • “Caller Identity” means the originating phone number included in call signaling used to identify the caller for call screening purposes.
  • “Call” means a call originated on behalf of a calling party by Lingo Telecom.

Notice that this requirement echoes the attestation criteria described in ATIS-1000074.

The agreement also requires Know-Your-Customer (KYC) measures for customers who purchase services from Lingo and for immediate upstream providers who send calls directly to Lingo.

Takeaways

The consent decree and operating procedures provide important information for other voice service providers to consider. We think the following takeaways stand out:

  1. A provider can’t punt responsibility for attestation levels to its customers. As the standards state, the signing provider must have a direct authenticated relationship with the customer and a verified association with the calling telephone number to confer an A-level attestation.
  2. An originating provider can get into serious trouble for the misdeeds of a caller it may not even know.
    • A robust, effective KYC program for customers and upstream providers, coupled with the proper application of call authentication attestation levels, can help protect providers from legal peril.
A sign with the words talk learn grow

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 25 years of experience in providing telecom software solutions including branded calling, toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.