The Federal Communications Commission (FCC) has adopted a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that, among other things, imposes significant robocall mitigation requirements on "gateway providers" (defined as any provider that receives a call directly from a foreign provider at its U.S.-based facilities) to help "stop the flood of foreign-originated illegal calls," including calls "sent on a circuitous path out of and then back into the U.S."
The Report and Order extends to gateway providers the call authentication and robocall mitigation obligations previously imposed on other voice service providers in the domestic call network, including the implementation of STIR/SHAKEN by June 30, 2023, and Robocall Mitigation Database (RMD) certification and reporting requirements. However, the Report and Order goes further by imposing on gateway providers a "know-your-upstream-provider" requirement and strict 24-hour traceback and mandatory blocking obligations. The FCC also adopted a new blocking requirement for providers that are downstream from gateway providers that will take effect 60 days after the Report and Order's publication in the Federal Register.
As explained in multiple advisories and posts tracking the TRACED Act's implementation, in March 2020, the FCC began adopting and implementing certain robocall enforcement rules and mechanisms, among which were:
- 1. The establishment of a "traceback" consortium dedicated to identifying and tracing illegal robocalls;
- 2. A rule requiring originating and terminating providers to implement STIR/SHAKEN on IP network portions by June 30, 2021;
- 3. Safe harbor protections for providers that unintentionally or inadvertently block lawful calls;
- 4. And, most recently, a new rule requiring intermediate providers (including gateway providers) to pass unaltered any authenticated Identity header for Session Initiation Protocol (SIP) calls received from a STIR/SHAKEN participant.
While the FCC's pre-existing rules may mitigate domestic-originated fraudulent robocalls, they provided limited protection from illegal foreign calls that are the primary focus of the Report and Order's new rules.
Downstream Providers' Call Blocking Duty
Downstream providers that directly connect to accept gateway provider traffic will be required, within 60 days of publication of the rule, to block all gateway provider traffic where:
- 1. They have a "reasonable basis" to believe that the upstream provider acts, for some calls, as a gateway provider that has failed to submit an RMD certification or is delisted from the RMD.
- 2. The FCC releases a Final Determination Order in EB Docket No. 22-174 announcing a gateway provider's failure to comply with the FCC's mandatory blocking obligations, which are discussed below.
Downstream providers should work with vendors and counsel as needed to develop procedures that enable ongoing monitoring of these conditions.
Starting June 30, 2023, gateway providers will be required to implement STIR/SHAKEN in all IP portions of their networks to authenticate any SIP call that is carrying a U.S. number in the caller ID field. Gateway providers are not required to authenticate calls with foreign numbers (or that include a U.S. number in the Automatic Number Identification (ANI) field only). For the TDM portions of their networks, gateway providers will be required to either upgrade to IP and implement STIR/SHAKEN or work with a standards group or consortium to develop a non-IP caller ID authentication solution.
Robocall Mitigation Database Certification and Filing Requirements
Gateway providers will be required to submit a certification and robocall mitigation plan to the RMD. The certification obligation requires gateway providers to:
- 1. Indicate the status of their implementation of STIR/SHAKEN in the IP portions of their network;
- 2. Certify that they are adhering to the practices described in their robocall mitigation plan; and
- 3. Certify that they will comply with the 24-hour traceback requirement (described below).
The filing obligation also requires gateway providers to submit:
- 1. Contact information for a company representative responsible for addressing robocall issues;
- 2. A description of their robocall mitigation practices; and
- 3. A description of how they are complying with the below-described "know-your-upstream-provider" obligation.
Recognizing that many gateway providers will have already submitted a STIR/SHAKEN certification and robocall mitigation plan to the RMD as a voice service provider under existing FCC rules, the FCC also requires providers that play this mixed role to separately detail the mitigation steps they take as a gateway provider and as a voice service provider. Gateway providers that fail to comply with any of the RMD requirements or that "knowingly or negligently" originate, carry, or process illegal robocall campaigns will face enforcement action, including forfeiture and removal from the RMD, thus subjecting them to having all traffic blocked by downstream providers.
Gateway providers must comply with the RMD certification and filing requirements within 30 days of publication of notice of Office of Management and Budget (OMB) approval in the Federal Register.
Mandatory Blocking Obligations
Under existing rules, gateway providers are only required to take steps to "effectively mitigate" illegal robocall traffic when notified of such traffic by the FCC. However, recognizing that the "effective mitigation" requirement still allowed illegal foreign calls to reach consumers, gateway providers are now required to block both calls specifically identified by the FCC and all "substantially similar" traffic. Gateway providers must also block calls based on a "reasonable" Do Not Originate, or DNO, list, as well as any calls from a foreign provider that is not registered in the RMD. While gateway providers that fail to meet these obligations will be given an opportunity to resolve any blocking issues identified by the FCC, a gateway provider's failure to respond or insufficiently resolve the identified issues will result in the FCC's issuance of a Final Determination Order in EB Docket No. 22-174 directing downstream providers that are directly connected to the gateway provider to block all of the gateway provider's traffic within 30 days of the Order's release.
With respect to the blocking of "substantially similar" calls to those identified in an FCC notice, the FCC declined to define or characterize what qualifies as being within the scope of this requirement, noting only that the requirement "is not tied to the number in the caller ID field" of any identified calls or based on "any other single criterion" because "a detailed definition could allow bad actors to circumvent this blocking by providing a roadmap as to how to avoid detection." However, the FCC encourages gateway providers to consider "common indicia" of illegal calls in implementing their compliance regime, including "call duration; call completion ratios; large bursts of calls in a short time frame; neighbor spoofing patterns; and sequential dialing."
The FCC similarly did not define a "reasonable" DNO list; however, it noted that such list should include, at a minimum, any inbound-only government numbers for which a government entity has requested blocking as well as private inbound-only numbers that have previously been used in imposter scams. Further, the FCC noted that such a list may include up-to-date invalid, unallocated, and unused numbers, as well as numbers for which the subscriber has requested blocking.
Gateway and downstream providers must comply with the requirements to block upon FCC notification within 60 days of the Report and Order's publication in the Federal Register, while gateway providers must comply with the DNO blocking requirement within 30 days of publication of notice of OMB approval in the Federal Register.
Know-Your-Upstream-Provider Authentication Requirement
Gateway providers will be required within 180 days of the Report and Order's publication in the Federal Register to take "reasonable and effective" "know-your-customer" measures to try to ensure their immediate upstream foreign providers are not using the gateway provider to process a high volume of illegal traffic. Similar to its robocall mitigation plan rules, the FCC does not mandate the steps gateway providers must take to "know" their upstream foreign providers, instead allowing providers the flexibility to determine the exact measures to take, including whether to adopt contractual provisions with their upstream providers to meet this obligation and the contours of any such provisions.
24-Hour Traceback Requirement
Gateway providers will be required to comply with a mandatory 24-hour response requirement, which is stricter than the looser timeliness standard applied to other providers. However, gateway providers will only be required to identify the foreign provider from which the gateway provider received the call – not the originating provider or the originating customer.
Gateway providers must begin responding to traceback requests within 24 hours no later than 30 days after publication of notice of OMB approval in the Federal Register.
Order on Reconsideration and Further Notice of Proposed Rulemaking
The Order on Reconsideration pertains to petitions for reconsideration filed by CTIA and the Voice on the Net ("VON") Coalition, which requested that the FCC eliminate or otherwise curtail the previously adopted requirement that domestic providers only accept calls directly from a foreign provider that is registered in the Robocall Mitigation Database, which was subject to a stay of enforcement in 2021. However, in reaffirming and imposing on all gateway providers a requirement that they only accept calls from RMD-registered foreign providers, discussed supra, the FCC ended this stay and denied these petitions, concluding that the arguments made therein are not supported and/or are not mooted by the Report and Order's rules.
In a separate advisory we will address the FNPRM, which seeks comment on, among other issues, extending STIR/SHAKEN to all intermediate providers, applying mitigation obligations to a broader range of providers, and new enforcement rules, all as part of the FCC's "battle against illegal robocalls."
* * * * * * *
Please let us know if you have questions or would like assistance with STIR/SHAKEN enrollment, robocall mitigation, and "know-your-upstream-provider" plans, FCC certifications, or other aspects of implementing the FCC's Report and Order.