FCC Imposes New Regulations on Gateway Providers
On May 20, 2022, the Federal Communications Commission (“FCC” or “Commission”) released a Sixth Report & Order and Seventh Further Notice of Proposed Rulemaking (“R&O” and “FNPRM”), imposing additional regulatory requirements on the gateway providers that are the point of entry for foreign-originated illegal robocalls into the United States, and soliciting comments on, among other things, whether its robocall mitigation rules should be extended to carriers that are now exempt.
R&O: Additional Rules for Gateway Providers
The FCC defines a gateway provider as a “U.S.-based intermediate provider [those that have facilities located in the U.S., including a point-of-presence] that receives a call directly from a foreign originating provider or foreign intermediate provider at its U.S.-based facilities before transmitting the call downstream to another U.S.-based provider.” A gateway provider is required to follow the new rules only for calls in which it performs the functions of same, and does not include affiliates of U.S.-based carriers that receive traffic in another country and transmit that traffic to another provider to bring across the boundary of the U.S. network. The scope of the requirement is limited to calls that are carrying a U.S. number in the caller ID field.
Certification & Mitigation Plan Requirements
Gateway providers must submit a certification and mitigation plan to the FCC’s Robocall Mitigation Database (“RMD”), describing their robocall mitigation practices and state that they are adhering to them. The deadline is 30 days after publication in the Federal Register of notice of approval by Office of Management and Budget (“OMB”). The FCC’s Wireline Competition Bureau will release a follow-up public notice with more information on the deadline and related information. The information that must be included is generally the same that voice service providers (“VSPs”) were required to submit in their robocall mitigation plans, with some minor variations:
- Certify status of STIR/SHAKEN implementation and robocall mitigation on their networks;
- submit contact information for a person responsible for addressing robocall mitigation-related issues;
- explain how they are complying with the know-your-upstream-provider obligation (described below); and
- certify that they will comply with traceback requests within 24 hours.
Downstream providers will be prohibited from accepting any traffic from a gateway provider not listed in the RMD. The deadline for compliance is 90 days following the deadline for gateway providers to submit a certification to the RMD. Downstream providers are required to block calls if they have a reasonable basis to believe that the upstream provider acts, for some calls, as a VSP or gateway provider and that the provider is not listed in the RMD. Downstream carriers are prohibited from blocking 911 calls and avoid blocking calls from PSAPs and government outbound emergency numbers, regardless of whether the upstream carrier is listed in the RMD.
Gateway providers must block, rather than simply effectively mitigate, illegal traffic when notified of such traffic by the Commission, and providers immediately downstream from the gateway provider must block all traffic from an identified gateway provider that has failed to meet its blocking obligation upon FCC notification. The FCC’s Enforcement Bureau will send the applicable carrier a Notice of Suspected Illegal Traffic and will provide the carrier with time to investigate and act on the Notice. If the carrier fails to respond or provide the requested information, the Enforcement Bureau will instruct downstream carriers to block all traffic from the identified carrier. The compliance deadline for gateway and downstream providers to block upon Commission notification is 60 days after publication of the R&O in the Federal Register.
In addition to certifying and submitting mitigation plans in the RMD, gateway providers must implement STIR/SHAKEN to authenticate SIP calls that are carrying a U.S. number in the caller ID field. The deadline for compliance is June 20, 2023. In order to comply with this requirement, gateway provider must authenticate caller ID information for all SIP calls it receives for which the caller ID information has not been authenticated and which it will exchange with another provider as a SIP call. A gateway provider can satisfy its authentication requirement if it adheres to the three ATIS standards that are the foundation of STIR/SHAKEN—ATIS-1000074, ATIS-1000080, and ATIS-1000084—and all documents referenced therein.
Gateway providers must fully respond to traceback requests from the FCC, law enforcement, and the Industry Traceback Group within 24 hours of receiving same. The compliance deadline is 30 days after publication in the Federal Register of notice of approval by OMB.
Know Your Upstream Provider
The FCC requires gateway providers to take “reasonable and effective steps” to ensure that the immediate upstream foreign provider is not using the gateway provider to carry or process a high volume of illegal traffic onto the U.S. network. The FCC adopts a flexible approach; gateway providers can determine the exact measures they choose to take, including whether to adopt contractual provisions with their upstream providers to meet this obligation. The compliance deadline is180 days after publication of the R&O in the Federal Register.
FNPRM: Extending Robocall Mitigation Requirements
In the FNPRM, the FCC solicits comments on extending robocall mitigation duties on carriers that are now exempt, and related matters. Specifically, the FCC seeks comments on:
- whether all U.S. intermediate providers should authenticate caller ID information consistent with STIR/SHAKEN for SIP calls that are carrying a U.S. number in the caller ID field;
- whether all subject providers must comply with the current version of the STIR/SHAKEN standards (ATIS-1000074, ATIS-1000080, and ATIS-1000084) and any other IP authentication standards adopted as of the compliance deadline;
- whether all providers should adopt a non-IP caller ID authentication solution;
- whether the FCC should broaden the classes of providers subject to certain mitigation obligations;
- whether all domestic carriers (not just gateway providers) should be required to respond to traceback requests within 24 hours;
- whether all domestic providers must block, rather than simply effectively mitigate, illegal traffic when notified of such traffic by the Commission, regardless of whether that traffic originates abroad or domestically;
- whether, and if so how, the FCC should clarify its rule requiring providers to take affirmative, effective measures to prevent new and renewing customers from using their network to originate illegal calls;
- whether originating carriers should ensure that customers originating non-conversational traffic only must seek to originate lawful calls exclusively (g. by investigating such customers prior to allowing them access to high-volume origination services);
- whether the “reasonable steps” standard should be modified to include specific actions carriers must make in mitigating illegal robocalls;
- whether intermediate carriers must submit a certification to the RMD describing their robocall mitigation practices and stating that they are adhering to those practices, regardless of whether they have fully implemented STIR/SHAKEN;
- whether the FCC should levy non-compliance sanctions as follows:
- impose forfeitures for failures to block calls on a per-call basis and establish a maximum forfeiture amount for such violations;
- impose the highest available forfeiture for failures to appropriately certify in the RMD;
- establish additional bases for removal from the RMD, including by establishing a “red light” feature to notify the Commission when a newly-filed certification lists a known bad actor as a principal, parent company, subsidiary, or affiliate; and
- subject repeat offenders to proceedings to revoke their section 214 operating authority and to ban offending companies and/or their individual company owners, directors, officers, and principals from future significant association with entities regulated by the Commission
- whether the FCC should impose some robocall mitigation requirements on carriers exempted because of inability to perform STIR/SHAKEN, such as know your customer;
- whether STIR/SHAKEN requirements be extended to satellite providers;
- whether the FCC should adopt direct or indirect restrictions on the use of domestic numbering resources for calls that originate inside or outside of the United States for termination in the United States;
- whether the Commission should allow a third party to authenticate caller identification information to satisfy the originating provider’s obligation;
- whether cellular roaming traffic (e., traffic originated abroad from U.S. mobile subscribers carrying U.S. NANP numbers terminated in the U.S.) should be treated with a lighter touch than other international traffic; and
- whether there are other categories of traffic that should be subject to greater or lesser scrutiny than other voice traffic under the FCC’s robocall mitigation rules.
NEED HELP WITH ROBOCALL MITIGATION, COMPLIANCE AND LITIGATION SUPPORT/DEFENSE AGAINST BUSINESS & LEGAL CHALLENGES?
The CommLaw Group Can Help!
Given the complexity and evolving nature of the FCC’s rules, regulations and industry policies & procedures around Robocall Mitigation and Compliance issues (e.g., Stir/Shaken, TRACED Act, FCC Rules & Regulations, US Telecom Industry group, ATIS, NECA, VoIP Numbering Waivers, Know Your Customer and the private sector ecosystem), as well as the increased risk of business disputes, consumer protection enforcement by state attorneys general, and even civil litigation, and anticipating the potential torrent of client questions and concerns, The CommLaw Group formed a “Robocall Mitigation Response Team” to help clients (old and new) tackle their unique responsibilities.
CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS
- Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
- Rob Jackson – Tel: 703-714-1316 / E-mail: rhj@CommLawGroup.com
- Ron Quirk – Tel: 703-714-1305 / E-mail: req@CommLawGroup.com