Originating provider fined for improper attestation

The FCC proposed a $2 million forfeiture penalty be imposed on a voice service provider for allegedly applying improper attestation levels on calls it originated and authenticated with STIR/SHAKEN. Let’s have a look at the details.

This proposed forfeiture penalty is for allegations of illegal robocalls placed to New Hampshire residents two days before the New Hampshire primary election. These calls carried a deepfake audio recording of President Biden’s voice telling voters not to vote in the upcoming primary.

In a separate action, the FCC proposed a $6 million penalty against Steve Kramer, a political consultant, for allegations that he perpetrated the robocalls.

In this article, we review the penalty proposed against the originating service provider, Lingo Telecom, LLC, for allegations of improper attestation using STIR/SHAKEN. The notice of apparent liability for forfeiture describes the FCC’s thought process regarding the proper use of attestation levels and know-your-customer processes. This might be instructive for other voice service providers.

The Commission’s notice alleges the involvement of the following parties:

• Steve Kramer, who perpetrated the robocalls using as caller ID the phone number of a New Hampshire political operative who was not involved in making the calls and had not authorized their number to be used in connection with the calls.
• Voice Broadcasting Corp., which Kramer engaged to place the calls
• Life Corp, which provided the services and equipment used to place the calls
• Lingo Telecom, which originated the calls and authenticated the caller ID information using STIR/SHAKEN.

Attestation

The FCC found that Lingo incorrectly applied A-level attestation to 2,000 calls it originated. (The Commission calculated the $2 million forfeiture as 2,000 calls × $1,000 per call).

The Commission cited ATIS-1000074, which establishes that, for an A-level attestation, the signing provider:

1. Is responsible for the origination of the call onto the IP-based service provider voice network
2. Has a direct authenticated relationship with the customer and can identify the customer, and
3. Has established a verified association with the telephone number used for the call.

Lingo first claimed that it inadvertently applied A-level attestation and was working to fix the problem.

Later, Lingo claimed that it had verified the ownership of the calling number through a contractual relationship with Life Corp. Lingo claimed that its policy “allowed for its customers to receive an A-level attestation if the customer certified that it will identify its customer and has a verified association with the telephone number used for the call.”

The FCC found Lingo’s arrangement to be deficient.

The Commission stated that a provider may not satisfy the A-level attestation requirements with a generic, blanket, check-the-box agreement that shifts the entire responsibility for compliance onto the customer.

The Commission found that “Lingo abdicated its verification responsibility by punting the duty to its customer with absolutely no credible basis to believe its customer was taking any steps to make the necessary verification.”

Know your customer

The Commission also found that “Lingo’s improper attestation exposes its glaringly deficient KYC (Know Your Customer) practices.”

In its notice, the Commission cited existing rules stating that “It is incumbent on all voice service providers to ‘take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence.’”

Neither Life Corp nor its customer, Voice Broadcasting Corp, had a verified association with the illegally spoofed calling number. The Commission cites this as evidence of a failure to use proper KYC processes.

Lessons for other voice service providers

The Commission’s notice is instructive to other voice service providers in the following ways:

• Contractual terms cannot punt attestation determination to the signing provider’s customer. The attestation criteria must be followed properly.
• Originating voice service providers must have effective KYC practices. Improper attestation of illegally spoofed calls is evidence of failed KYC practices.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 25 years of experience in providing telecom software solutions including branded calling, toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.