The final countdown to the June 30, 2021 TRACED Act (Stir/Shaken) compliance deadline has officially begun!
[Click linked text for advisory announcing the availability of the Robocall Mitigation Database (and associated rules)]
“Robocall Mitigation Plan”
What is it? And How The CommLaw Group Can Help
As both a legal and practical matter, all Voice Service Providers (“VSPs”) must develop a robocall mitigation plan (“RMP”), file it with the FCC and, after Commission approval, be listed in the FCC’s robocall mitigation database. An RMP is required by the FCC in order for any VSP to take advantage of the STIR/SHAKEN compliance extensions that were granted in the FCC’s Second R&O in the Call Authentication Trust Anchor docket. For example, small VSPs that serve fewer than 100,000 access lines or VoIP seats automatically qualify for a two-year extension for STRI/SHAKEN compliance until June 30, 2023. But as a condition of receiving the extension, they must comply with the RMP requirements, as do larger VSPs that cannot obtain token access at this time.
The mitigation plan must be clearly and specifically documented, and VSPs must publicly certify that their plans meet FCC standards, by May 6th, 2021. The FCC considers a robocall mitigation plan “sufficient” if it contains “detailed practices that can be reasonably expected to significantly reduce the origination of illegal robocalls.” At this time, the Commission has avoided designating specific technologies or procedures “[b]ecause illegal call mitigation is evolving [and] it would be premature to mandate any specific practices or standards in the near-term.” However, the FCC has outlined three objectives which mitigation plans must achieve in order to be satisfactory:
- VSPs must take reasonable steps to avoid originating illegal robocall traffic (the FCC recommends the use of reasonable analytics);
- VSPs must commit to respond to requests from the Industry Traceback Group (also known as the Industry Traceback Consortium) to trace suspect calls back to their origin; and
- VSPs must cooperate in investigating and stopping any illegal robocallers (meaning that the affected VSP must block calls or callers that are believed to be illegal).
Without listing specific technologies or methodologies, the FCC has published principles for robocall mitigation best practices. Robocall mitigation methods can be categorized as steps which VSPs should take before commencing service, during provision of service, and after an attack on the system by bad actors. The exact techniques used will vary according to the unique circumstances of each VSP and the continued development of mitigation technologies.
The Commission stresses the need for flexibility and continuous improvement of processes as the technology used to make robocalls, as well as, to prevent them is constantly changing and evolving. A mitigation plan must be both specific and reasonable in order to satisfy the requirements of the new law. A mitigation plan will be found insufficient if a VSP “knowingly or through negligence” serves as originator to illegal robocall campaigns.
Before Service Is Established for a New Customer
Customer Vetting a/k/a “Know Your Customer”
- Small business and residential voice service customers pose the lowest risk of robocall origination; larger commercial customers and VoIP wholesale customers pose the highest. Many foreign illegal robocallers use VoIP services and DID numbers from the North American Numbering Plan (“NANP”) to suggest that their calls were originated within the United States. Customers located outside the United States using NANP numbers require a much deeper investigation before onboarding those customers.
- VSPs should collect and verify information for each commercial customer such as physical business location, contact person(s), state or country of incorporation, federal tax ID, and the nature of the customer’s business. Firmly establishing the existence of the customer can prevent easy spoofing of corporate identity by bad actors.
Mitigation Through Contracts
- Provisions requiring customer assistance in traceback investigations should be included in all service contracts. Wholesale providers, including those that are used in a least-cost routing plan, should require VSPs to identify “upstream” source of illegal calls on their networks, and to identify their own customers who originate illegal calls.
Participate in the FCC’s Enforcement Database
- The FCC has announced it will create a database of approved entities, the Service Provider Registration Portal, for use by law enforcement, as well as screening by intermediate and terminating voice service providers. The details have not yet been released in an expected Public Notice, but it will be important for all VSPs to know whether they must register, and how to do so.
Caller ID and Blocking
- End user customers should have access to call blocking mechanisms that are free and easy to use at the individual number and network level. VSPs should regularly update these systems and communicate with customers to ensure they are aware of the caller ID and blocking mechanisms available to them.
Monitor Traffic with Analytics
- Dynamic Traffic Analysis can identify behaviors which indicate illegal call activity, such as intermittent bursts of high activity, suspiciously low call completion rates/short call times, and evidence of systematic calling, or “war dialing.” Abnormally high-volume call patterns from a commercial customer is a common symptom of illegal robocalling. Illegal call originators can sometimes be identified by examining Call Detail Records and checking numbers dialed against the National Do Not Call Registry.
- It may be necessary to contract with third-party vendors for these advanced services. Though the FCC acknowledges the additional expense of compliance, VSPs are prohibited from adding a line item charge for robocall mitigation to customer bills.
Investigate Suspicious Activity
- When traffic analysis indicates the presence of likely illegal robocalling, VSPs must have a plan for investigating and addressing the behavior. Responses can include conducting traceback investigations to identify the source of the calls, verifying suspicious activity with customers, suspending customers who are putting robocalls into the system, and contacting relevant law enforcement agencies. VSPs should have a mechanism for halting customers’ ability to make new calls and suspending service once illegal robocalling is detected.
After Service Has been Used for Illegal Robocalling
Cooperate with Investigative Bodies
- Traceback investigations into the origins of illegal calls are a major component of STIR/SHAKEN enforcement and robocall mitigation even for VSPs who have not yet fully implemented STIR/SHAKEN authentication. In addition to conducting their own traceback investigations into suspicious activity, VSPs should be ready to comply with traceback requests by law enforcement, the FCC, or the Industry Traceback Group, the official consortium designated to lead private traceback efforts. Companies should designate a single point of contact to handle traceback requests and coordinate with outside investigations.
Communicate with State Attorneys General
- It is imperative that VSPs maintain regular contact with state attorneys general in order to stay on the same page as law enforcement and government. As with traceback investigations, companies should have a designated single point of contact for states to reach. The establishment of regular formal channels helps keep both state officials and private actors up to date on the latest robocall mitigation technologies and standards. With the techniques for creating mass robocalls constantly changing, industry wide public-private communication is crucial to keeping networks secure and up to date.
NEED HELP WITH ROBOCALL MITIGATION AND COMPLIANCE?
|The CommLaw Group Can Help!|
Given the complexity and evolving nature of the FCC’s rules, regulations and industry policies & procedures around Robocall Mitigation and Compliance issues (e.g., Stir/Shaken, TRACED Act, FCC Rules & Regulations, US Telecom Industry group, ATIS, NECA, VoIP Numbering Waivers, Know Your Customer (effective May 6, 2021) and the private sector ecosystem), and anticipating the potential torrent of client questions and concerns, The CommLaw Group formed a “Robocall Mitigation Response Team” to help clients (old and new) tackle their unique responsibilities. The potential blocking of your company’s voice (and other) traffic due to non-compliance is very real, and very scary. Your company must be certain it achieves sufficient comfort knowing that it is doing everything it can, as efficiently and intelligently as it can, to achieve the level of compliance needed to avoid sleepless nights as the June 30, 2021 deadline approaches.
|CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS|
 Call Authentication Trust Anchor, Second Report & Order, WC Docket No. 17-97, FCC 20-136 (rel. October 1, 2020) (“Second R&O”).
 Since each VSP, beginning May 6, 2021, must take “ affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic,” those measures constitute an RMP that should be recorded at least for internal use. As more information becomes available and as VSPs get closer to the FCC filing date, changes and additions may be appropriate.
 In paragraph 83 of the Second R&O, the FCC stated: “We direct the Bureau to release this Public Notice no earlier than March 30, 2021, and to establish a deadline for the filing of certifications no earlier than June 30, 2021.” The Public Notice was released on April 20, 2021 and is the subject of a separate Client Advisory.