The FCC’s Fourth STIR/SHAKEN Report and Order (“R&O”) will go into effect on February 24, 2022. As explained in an earlier advisory, the R&O shortens the current two-year extension for some categories of small voice service providers (“SVSPs,” those with 100,000 or fewer voice service subscriber lines) to fully implement the STIR/SHAKEN caller ID authentication standards.
Separately, we understand that there is growing confusion regarding the compliance obligations of non-facilities-based resellers of voice services, prompted by emails sent to numerous companies by the FCC. We believe the issue is due in large measure to the FCC’s lack of understanding of its own rules/requirements and how they intersect with a specific segment of the service provider ecosystem that has elected to have calls signed by their underlying, facilities-based wholesale partners.
Original STIR/SHAKEN Deadline and Extensions
In 2020 the FCC imposed its STIR/SHAKEN implementation deadline of June 30, 2021 for most voice providers and granted two-year extensions to SVSPs and voice providers that are unable to obtain the “token” necessary to implement STIR/SHAKEN. The carriers that took advantage of the extension were required to file Robocall Mitigation Plans (“RMPs”) by the original deadline and could wait until June 30, 2023 for full implementation.
Carriers Subject to Truncated Extensions
In an effort to expedite the eradication of illegal robocalls, the FCC curtained the deadline for non-facilities-based SVSPs (i.e., those that offer voice services to end-users solely using connections that are not sold by the provider or its affiliates). Those entities are now required to fully implement STIR/SHAKEN in the IP portions of their networks by June 30, 2022. The FCC also shortened the deadline to June 30, 2022 for SVSPs that are responsible for generating a high quantity of illegal robocalls compared to facilities-based and larger providers.
The FCC further directed the Enforcement Bureau (“EB”) to provide written notice to SVSPs suspected of being a source of illegal robocalls. Upon notice, the SVSP must take specific steps to mitigate the suspected illegal robocall traffic and, if applicable, provide credible evidence that they are not responsible for originating such traffic. If the SVSP does not promptly investigate the traffic and take steps to mitigate the identified traffic, the provider will have 90 days to fully implement STIR/SHAKEN. If the 90-day period will extend beyond June 30, 2022, the June 30 deadline will apply.
The FCC did not reduce the full STIR/SHAKEN deadline for facilities-based SVSPs; those providers may avail themselves of the original deadline of June 30, 2023 unless they are suspected of originating illegal robocalls.
Database Update Required for Affected Carriers
Non-facilities-based SVSPs and providers identified as sources of illegal robocalls, must update their Robocall Mitigation Database filings to indicate they are subject to the shortened extension by no later than MARCH 7, 2022. The database must be updated again once STIR/SHAKEN has been implemented.
FCC STIR/SHAKEN Compliance Emails
The FCC is currently sending emails to various voice providers that it believes incorrectly certified full STIR/SHAKEN compliance in the Robocall Mitigation Database or failed to make an entry into that database (e.g., did not file an RMP) by the applicable deadline. The STIR/SHAKEN program is tied into carriers’ FCC Form 477 filings. The FCC is cross-referencing the Robocall Mitigation Database with Forms 477s in which the carriers state they provide voice services. If the FCC perceives any discrepancy, it will email a carrier, ordering it to fix the purported issue and/or file an explanation that resolves the matter.
We also understand that the FCC emails are targeting VoIP providers that use their wholesale providers to sign their calls under the STIR/SHAKEN framework. What happens in this circumstance is that the provider is registered in the Robocall Mitigation Database as fully implementing STIR/SHAKEN but are NOT registered with the Secure Telephone Identity Governance Authority (STI-GA) to get a token. This happens when the provider uses a wholesale provider to sign their calls for them. The provider has implemented STIR/SHAKEN, but does not need their own token, thus they do not show up in the STI-GA lists. The FCC emails to this audience of providers is in error, one that results from the FCC’s lack of knowledge regarding its own rules, policies, and requirements.
The FCC has implemented resolution deadlines that typically fall in the second week of March 2022. Carriers must respond by the deadline or the FCC will turn the matter over to the EB, which will prosecute an enforcement action against the carrier.
If your company is impacted by the issues raised in this advisory, please contact us! We can help!