Last week, the Federal Communications Commission (“FCC” or “Commission”) released a draft Report and Order and Notice of Proposed Rulemaking (“Order” and “NPRM”) that will impose drastic and stringent new robocall mitigation rules on all voice service providers (“VSPs”) operating in the U.S.  When finalized, the new rules will apply to VSPs previously exempted from the Commission’s STIR/SHAKEN rules, as well as VSPs that are already STIR/SHAKEN compliant. The Commission further proposes to levy harsh penalties on non-compliant VSPs. The FCC also seeks comment on some proposed STIR/SHAKEN rules.

The draft Order and NPRM will be voted on during the Commission’s March 16, 2023 Open Meeting. While it is possible that minor changes may made to the draft before it is finalized, it will almost surely be approved without any watering down of the substantive provisions. We believe it is critical for all affected VSPs to get an early start learning about and understanding the new requirements to ensure preparedness to swiftly comply once the new rules become finalized and effective.  We would NOT advise taking a “wait and see” approach because waiting too long can result in any number of materially adverse consequences, including having traffic blocked, economic exposure, and reputational damage.

This Client Advisory provides a high-level overview of the requirements set forth in the Order and summarizes the information the FCC is seeking through the NPRM. There are numerous details contained in the new rules that are beyond the scope of this Advisory that VSPs must know prior to implementing compliance measures. The attorneys on our firm’s Robocall Mitigation Response Team will be glad to provide guidance regarding all the nuances of the new rules.

Order

Intermediate Carrier Mandatory Authentication Requirements

Intermediate carriers (i.e., entities that carry or process traffic that traverses the Public Switched Telephone Network (“PSTN”) but do not originate or terminate the traffic) will be required to authenticate unauthenticated session initial protocol (“SIP”) calls they receive from originating VSPs. Intermediate carriers will no longer be able to comply with the STIR/SHAKEN rules simply by agreeing to rapidly respond to traceback requests. Intermediate VSPs are obligated to comply with, at a minimum, the version of the STIR/SHAKEN standards ATIS-1000074, ATIS-1000080, and ATIS-1000084 and all of the documents referenced therein in effect at the time of their respective compliance deadlines.

          Restrictions on the Requirement

This new rule is subject to certain limitations. First, the FCC will require only the first intermediate provider in the path of a SIP call to authenticate unauthenticated caller ID information. Second, this requirement does not apply to gateway intermediate providers (i.e., carriers that are the first point of contact for foreign calls entering the U.S.). Third, the first intermediate provider in the call path may avoid the need to authenticate calls through contractual measures.

          Deadline for Compliance

The compliance deadline for the new authentication requirements is December 31, 2023.

Mitigation and Robocall Mitigation Database Filing Obligations

Under the new rules, all VSPs, including: (a) intermediate providers, (b) those without the facilities necessary to implement STIR/SHAKEN, and (c) carriers that are already STIR/SHAKEN compliant, will be required to comply with the following:

• must take “reasonable steps” to mitigate illegal robocall traffic;
• submit a certification to the FCC’s Robocall Mitigation Database; and
• submit a robocall mitigation plan.

          Robocall Mitigation Steps

The “reasonable steps” requirement is the same as the general mitigation standard that is currently applied to gateway providers and VSPs that have not fully implemented STIR/SHAKEN under the Commission’s rules.

          Robocall Mitigation Certification

Each VSP obligated to submit a certification to the Robocall Mitigation Database must submit detailed information regarding the company, its policies and practices, its role in the “food chain,” and other specific information set forth in the proposed new rules. The certification must be signed by an officer of the company under penalty of perjury.

          Robocall Mitigation Plans

All VSPs’ robocall mitigation plans must describe all “reasonable steps” taken by the company to comply with the regulations, including the specific steps a VSP is taking to mitigate illegal robocalls, “know your customer” procedures, and a description of any call analytics system used to identify and block illegal traffic, including whether a third-party vendor is used and the name of the vendor.

          OCN Submission Requirements

Finally, the FCC requires that all VSPs submit their operating company code (“OCN”) in their certifications if they have one.

          Deadline for Compliance

The compliance deadline for the new robocall mitigation requirements is either: (1) 30 days following publication in the Federal Register; or (2) any deadline set by the Wireline Competition Bureau through a Public Notice.

          Downstream Providers’ Call Blocking Requirements

Under the new rules, downstream providers will be prohibited from accepting any traffic from a non-gateway intermediate provider not listed in the Robocall Mitigation Database.

Robocall Mitigation Enforcement

          Economic Sanctions

The FCC has authorized a maximum forfeiture amount for each violation of the mandatory blocking requirements of $23,727 per call. The base forfeiture amount will be $2,500 per call.

          Removal from Robocall Mitigation Database

If the FCC determines that an intermediate provider has submitted a deficient certification and/or robocall mitigation plan or if it concludes that a VSP knowingly or negligently carries or processes illegal robocalls, the Commission will take appropriate enforcement action. This could include removing a certification from the database after providing notice to the intermediate provider and an opportunity to cure the filing, requiring the intermediate provider to submit to more specific robocall mitigation requirements, and/or proposing the imposition of a forfeiture.

          Continuing Violations

Continuing violations of the FCC’s robocall mitigation rules will result in enforcement actions that could include, in addition to the sanctions listed above, revocation of carrier’s authorizations, licenses, and/or certifications. The Commission will also consider whether individual company owners, directors, officers, and principals associated with an entity for which we have revoked a Commission authorization may be prohibited from obtaining new Commission authorizations or licenses.

STIR/SHAKEN Obligations of Satellite Providers

The FCC has concluded that satellite providers that do not use North American Number Plan (“NANP”) numbers to originate calls or only use such numbers to forward calls to non-NANP numbers are not VSPs and therefore do not have a STIR/SHAKEN implementation obligation. Regarding satellite providers that use NANP numbers and are small VSPs under the rules are granted an ongoing extension from robocall mitigation requirements.

In addition to the proposed rules highlighted above, the FCC is seeking comments on additional ideas, concepts, and potential future rule enhancements and expansions through the NPRM, which is summarized below.

NPRM

Third-Party Caller ID Authentication

The FCC seeks comment on the use of third-party solutions to authenticate caller ID information and whether any changes should be made to the Commission’s rules to permit, prohibit, or limit their use. The FCC also seeks comment on whether, and under what circumstances, a third party may authenticate calls on behalf of a provider with A- or B-level attestations consistent with the ATIS standards.

Eliminating the Implementation Extension for Providers Unable to Obtain a STIR/SHAKEN Token

The Commission seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for VSPs that cannot obtain a token.

Comment/Reply Deadlines

Comments are due 30 days after publication in the Federal Register. Reply comments are due 60 days after publication in the Federal Register.

NEED HELP WITH ROBOCALL MITIGATION, COMPLIANCE AND LITIGATION SUPPORT/DEFENSE AGAINST BUSINESS & LEGAL CHALLENGES?

The CommLaw Group Can Help!

Given the complexity and evolving nature of the FCC’s rules, regulations and industry policies & procedures around Robocall Mitigation and Compliance issues (e.g., Stir/Shaken, TRACED Act, FCC Rules & Regulations, US Telecom Industry group, ATIS, NECA, VoIP Numbering Waivers, Know Your Customer and the private sector ecosystem), as well as the increased risk of business disputes, consumer protection enforcement by state attorneys general, and even civil litigation, and anticipating the potential torrent of client questions and concerns, The CommLaw Group formed a “Robocall Mitigation Response Team” to help clients (old and new) tackle their unique responsibilities.

CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS

• Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
• Rob Jackson – Tel: 703-714-1316 / E-mail: rhj@CommLawGroup.com
• Ron Quirk – Tel: 703-714-1305 / E-mail: req@CommLawGroup.com